2fe1edacaa87b151e5d93f80b67af038510da98df6326f0856f041d87fe22569

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 23:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8bb754c4c61680ba15b7c698581bf560N.exe
Size

59KB
MD5

8bb754c4c61680ba15b7c698581bf560
SHA1

664c13897a2309fcf6638925d02cc1d722ed2b1d
SHA256

2fe1edacaa87b151e5d93f80b67af038510da98df6326f0856f041d87fe22569
SHA512

1c9cda59c449495dc30cc34ab85727fc81db552778bce93f4ad6f5a1ddb80e45c406706afb6d4f846a35508f98e3e4b664c49939b50504222309b20367530560
SSDEEP

1536:xDlzXVuchDX+RNGA6mdVSzVUredJWWNBg2LyO:xRX1xRA6mdUUKrrVyO

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8bb754c4c61680ba15b7c698581bf560N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8bb754c4c61680ba15b7c698581bf560N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe

Executes dropped EXE 10 IoCs

pid	Process
876	Djgjlelk.exe
748	Daqbip32.exe
4444	Dhkjej32.exe
896	Dodbbdbb.exe
4424	Daconoae.exe
1812	Dhmgki32.exe
1072	Dogogcpo.exe
4632	Deagdn32.exe
2332	Dknpmdfc.exe
4288	Dmllipeg.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	8bb754c4c61680ba15b7c698581bf560N.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	8bb754c4c61680ba15b7c698581bf560N.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	8bb754c4c61680ba15b7c698581bf560N.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4720	4288	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8bb754c4c61680ba15b7c698581bf560N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	8bb754c4c61680ba15b7c698581bf560N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	8bb754c4c61680ba15b7c698581bf560N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	8bb754c4c61680ba15b7c698581bf560N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	8bb754c4c61680ba15b7c698581bf560N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8bb754c4c61680ba15b7c698581bf560N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	8bb754c4c61680ba15b7c698581bf560N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 876	3212	8bb754c4c61680ba15b7c698581bf560N.exe	83
PID 3212 wrote to memory of 876	3212	8bb754c4c61680ba15b7c698581bf560N.exe	83
PID 3212 wrote to memory of 876	3212	8bb754c4c61680ba15b7c698581bf560N.exe	83
PID 876 wrote to memory of 748	876	Djgjlelk.exe	84
PID 876 wrote to memory of 748	876	Djgjlelk.exe	84
PID 876 wrote to memory of 748	876	Djgjlelk.exe	84
PID 748 wrote to memory of 4444	748	Daqbip32.exe	85
PID 748 wrote to memory of 4444	748	Daqbip32.exe	85
PID 748 wrote to memory of 4444	748	Daqbip32.exe	85
PID 4444 wrote to memory of 896	4444	Dhkjej32.exe	86
PID 4444 wrote to memory of 896	4444	Dhkjej32.exe	86
PID 4444 wrote to memory of 896	4444	Dhkjej32.exe	86
PID 896 wrote to memory of 4424	896	Dodbbdbb.exe	87
PID 896 wrote to memory of 4424	896	Dodbbdbb.exe	87
PID 896 wrote to memory of 4424	896	Dodbbdbb.exe	87
PID 4424 wrote to memory of 1812	4424	Daconoae.exe	88
PID 4424 wrote to memory of 1812	4424	Daconoae.exe	88
PID 4424 wrote to memory of 1812	4424	Daconoae.exe	88
PID 1812 wrote to memory of 1072	1812	Dhmgki32.exe	89
PID 1812 wrote to memory of 1072	1812	Dhmgki32.exe	89
PID 1812 wrote to memory of 1072	1812	Dhmgki32.exe	89
PID 1072 wrote to memory of 4632	1072	Dogogcpo.exe	90
PID 1072 wrote to memory of 4632	1072	Dogogcpo.exe	90
PID 1072 wrote to memory of 4632	1072	Dogogcpo.exe	90
PID 4632 wrote to memory of 2332	4632	Deagdn32.exe	91
PID 4632 wrote to memory of 2332	4632	Deagdn32.exe	91
PID 4632 wrote to memory of 2332	4632	Deagdn32.exe	91
PID 2332 wrote to memory of 4288	2332	Dknpmdfc.exe	92
PID 2332 wrote to memory of 4288	2332	Dknpmdfc.exe	92
PID 2332 wrote to memory of 4288	2332	Dknpmdfc.exe	92

C:\Users\Admin\AppData\Local\Temp\8bb754c4c61680ba15b7c698581bf560N.exe
"C:\Users\Admin\AppData\Local\Temp\8bb754c4c61680ba15b7c698581bf560N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Windows\SysWOW64\Djgjlelk.exe
  C:\Windows\system32\Djgjlelk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Windows\SysWOW64\Daqbip32.exe
    C:\Windows\system32\Daqbip32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Windows\SysWOW64\Dhkjej32.exe
      C:\Windows\system32\Dhkjej32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4444
    - - C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:896
      - C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 396
        12⤵
        Program crash
        
        PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4288 -ip 4288
1⤵
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daconoae.exe

Filesize
59KB

MD5
d4106e8e560fe30700ed69477937ad9d

SHA1
3ce4ca6fd28cf51a289cc16e7ef55e396f912ad3

SHA256
5f4c4060406d18a6a83444d60b12cfc05ba150d1d874420be48fb9de2169ed51

SHA512
7470723294966b84a6632fef657fa2249ef5ed472b639f0aeb8f34dcc90cdceca45189d128c1a983c1873b482ff951169e7db37b27fb29a8b95a6844fc12a75b

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
59KB

MD5
8a16c0bec2e03a1c3c80af51b336dd1b

SHA1
9db0666e1dc5d1a9b52f0df5b0a66e15338cd5b2

SHA256
da8593302140e776356ccb077afcab62ceec713267f3e87633adaee59277d621

SHA512
74ba3c396c3cdfd905a71f07ec43000b48e10d8d7b8f5745585314b180a49f54dd62deb55e6cbdc621b4d03c06a2559671d717bee614c3fed41014753b652188

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
59KB

MD5
9945ff24c8b30cbcc9c63a7af4316762

SHA1
3d8d1ee81ea969efb45ed2e68b1c4f305b0aebe8

SHA256
0594a6d24a9569b51afdcf0d2f9425e29deb699c20797cae6dc781733e1e53a8

SHA512
9eb3204ebd68978cd3a16a0350e4a08b2cd26bff71d333f36d0d8a6498df54c21b7b9c11ec3e0e573c1ceab13d9556a2e31730584305b3d4b4d030007e075a27

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
59KB

MD5
45fc4860f33630eecf8b8b112f78e45c

SHA1
e737dc1ac0a5d80861f41408607c3fa154b4436b

SHA256
5caeb0ffc78b022f09b69a25fcac9d58f5fbb120aceabd9762ec23f4b30fd9b8

SHA512
2144d5b0ebdd330520ff74a49136131cb90b6e4beb806ec0f5b2f853a70deb3ca1f02dacba75f5ae8b6fcdf362d2154bc6784a5babd74aa273acc54a17b35b34

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
59KB

MD5
d9b607308892df3c85e1b850984bf699

SHA1
7964f245f822aff34ba526a41a3af6959ea9c900

SHA256
12794046c359feb4cd16ab70100360e1e082a1ff4e6d1a951134d42793a1a66d

SHA512
3e7f35936e4ab0cb7433d6f208e61edece3522f2d5f4a0a35460da2339886db6cd1a40d9918aaa21da10c5c26274c8386a9c3cd15a9aee6ca6bdd25603f18360

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
59KB

MD5
38d365bd68f537c5d59a2739d1664d2d

SHA1
9717f451cafceb49f25bbfe52c0722cb1353899e

SHA256
fbad22d2918d1dab6b902bcf07cab04a05c06869e19259bfceb1f4f784bb151c

SHA512
6de554432247c4a43503802071c8cd5bd8b5ce7b0762bd5ef8454987556e5240a52b1ef420a0ec8c455ab54d6e0845e80534f5841f86f105eead2877c9af1ac8

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
59KB

MD5
2347655985061f5fb0b982e8496c349a

SHA1
12d4959a4b56abddf44b23c0eeab1b302789fbca

SHA256
04527cd2340238af91d8bcfa2fe640011e4ed439dbf9b47771be43959facc561

SHA512
6ecb0ba478671fc1194b2cb46e11536cbcc346264df12c919a8c22b9c6b3d943b3933b14c1b903cd0f267f41abb035ac9e97834b1e29499a6a7656e708b1a95a

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
59KB

MD5
99e2fc2e0e07a8c37bcbae048b4d5dd8

SHA1
362ff1ed4befc9b369e59e8368a1ef8bd3a0f3cd

SHA256
29f35bbc082739e9845679b500feabc7442a997bd2676c74a7ca5e019760e678

SHA512
c579c77fba9b6d6d84d0deff2919e6cacb61dd335df5e13a840ef88dff1c9975e8d315510744547a8229bddd3ea5c73e80329bbacdee67008afe780b3b065847

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
59KB

MD5
80262589f8044971b46bf665d2a7f713

SHA1
5b063a26d82bafab41d444f80b771f1e43b3622a

SHA256
a0c94b626222cc697246df0a1c0644a1b3f7511ca3f9bab9eb2c02d599bc2716

SHA512
537add4d97f27a319f5967c23e245cc323269b88814f85012e1c71e13d1148a942524a70420a32fb92890e6b3808ec4137cfc86e1e72df1c47d34eebc754923d

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
59KB

MD5
49ade32155e84901625e7b92bfb1d319

SHA1
f044b57016cce6812032d5a73db4b9c5aaa0ffec

SHA256
d83e7bc09f31a9222a70ad901e7d89b8c2310363dee36481e14f248f4f13f876

SHA512
5863c3372125b8cda2b657f63609afc805e120f2830bd94cb0e0f34afbb0aea5497a8b277e4397b65b673c6a9aa44ce613e761c2083d1eb4a52829d946f53c41

Download Submit
memory/748-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/748-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/896-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/896-94-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1072-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1072-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-85-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3212-102-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3212-1-0x0000000000433000-0x0000000000434000-memory.dmp

Filesize
4KB

Download
memory/3212-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4288-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4288-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads