7705d1f04a9c5c14d1dad9d6a8e6d2ef53d72e9cf87cdc5a74329e3bc5cdcf27

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45cb5b26400a4cec483427e4b4032bb0N.exe
Size

75KB
MD5

45cb5b26400a4cec483427e4b4032bb0
SHA1

ecaac73dccb92d7d1c6132fe27f5d650a6abfaff
SHA256

7705d1f04a9c5c14d1dad9d6a8e6d2ef53d72e9cf87cdc5a74329e3bc5cdcf27
SHA512

8d5eea3ff0b98ec98e3fe56852065208887ef40f86a235da6f2d872472dc28daa96fef6628812170de987a17ac1b92fbe3591dc64685bcea2404c11e712d2142
SSDEEP

1536:nV8BQCjiXj/Pb7PWidRup1cgCe8uvQGYQzlV:V8yKiDb7PWidRwugCe8uvQa

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	45cb5b26400a4cec483427e4b4032bb0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	45cb5b26400a4cec483427e4b4032bb0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe

Executes dropped EXE 13 IoCs

pid	Process
2716	Dmcibama.exe
3000	Ddmaok32.exe
3084	Dfknkg32.exe
2368	Dobfld32.exe
3128	Delnin32.exe
4320	Dfnjafap.exe
4912	Dmgbnq32.exe
3048	Deokon32.exe
4288	Dfpgffpm.exe
400	Dogogcpo.exe
3012	Dddhpjof.exe
4292	Dknpmdfc.exe
4496	Dmllipeg.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	45cb5b26400a4cec483427e4b4032bb0N.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	45cb5b26400a4cec483427e4b4032bb0N.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	45cb5b26400a4cec483427e4b4032bb0N.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3168	4496	WerFault.exe	98

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45cb5b26400a4cec483427e4b4032bb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe

Modifies registry class 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	45cb5b26400a4cec483427e4b4032bb0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	45cb5b26400a4cec483427e4b4032bb0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	45cb5b26400a4cec483427e4b4032bb0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	45cb5b26400a4cec483427e4b4032bb0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	45cb5b26400a4cec483427e4b4032bb0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	45cb5b26400a4cec483427e4b4032bb0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 2716	4408	45cb5b26400a4cec483427e4b4032bb0N.exe	83
PID 4408 wrote to memory of 2716	4408	45cb5b26400a4cec483427e4b4032bb0N.exe	83
PID 4408 wrote to memory of 2716	4408	45cb5b26400a4cec483427e4b4032bb0N.exe	83
PID 2716 wrote to memory of 3000	2716	Dmcibama.exe	85
PID 2716 wrote to memory of 3000	2716	Dmcibama.exe	85
PID 2716 wrote to memory of 3000	2716	Dmcibama.exe	85
PID 3000 wrote to memory of 3084	3000	Ddmaok32.exe	86
PID 3000 wrote to memory of 3084	3000	Ddmaok32.exe	86
PID 3000 wrote to memory of 3084	3000	Ddmaok32.exe	86
PID 3084 wrote to memory of 2368	3084	Dfknkg32.exe	87
PID 3084 wrote to memory of 2368	3084	Dfknkg32.exe	87
PID 3084 wrote to memory of 2368	3084	Dfknkg32.exe	87
PID 2368 wrote to memory of 3128	2368	Dobfld32.exe	88
PID 2368 wrote to memory of 3128	2368	Dobfld32.exe	88
PID 2368 wrote to memory of 3128	2368	Dobfld32.exe	88
PID 3128 wrote to memory of 4320	3128	Delnin32.exe	90
PID 3128 wrote to memory of 4320	3128	Delnin32.exe	90
PID 3128 wrote to memory of 4320	3128	Delnin32.exe	90
PID 4320 wrote to memory of 4912	4320	Dfnjafap.exe	91
PID 4320 wrote to memory of 4912	4320	Dfnjafap.exe	91
PID 4320 wrote to memory of 4912	4320	Dfnjafap.exe	91
PID 4912 wrote to memory of 3048	4912	Dmgbnq32.exe	92
PID 4912 wrote to memory of 3048	4912	Dmgbnq32.exe	92
PID 4912 wrote to memory of 3048	4912	Dmgbnq32.exe	92
PID 3048 wrote to memory of 4288	3048	Deokon32.exe	93
PID 3048 wrote to memory of 4288	3048	Deokon32.exe	93
PID 3048 wrote to memory of 4288	3048	Deokon32.exe	93
PID 4288 wrote to memory of 400	4288	Dfpgffpm.exe	94
PID 4288 wrote to memory of 400	4288	Dfpgffpm.exe	94
PID 4288 wrote to memory of 400	4288	Dfpgffpm.exe	94
PID 400 wrote to memory of 3012	400	Dogogcpo.exe	95
PID 400 wrote to memory of 3012	400	Dogogcpo.exe	95
PID 400 wrote to memory of 3012	400	Dogogcpo.exe	95
PID 3012 wrote to memory of 4292	3012	Dddhpjof.exe	97
PID 3012 wrote to memory of 4292	3012	Dddhpjof.exe	97
PID 3012 wrote to memory of 4292	3012	Dddhpjof.exe	97
PID 4292 wrote to memory of 4496	4292	Dknpmdfc.exe	98
PID 4292 wrote to memory of 4496	4292	Dknpmdfc.exe	98
PID 4292 wrote to memory of 4496	4292	Dknpmdfc.exe	98

C:\Users\Admin\AppData\Local\Temp\45cb5b26400a4cec483427e4b4032bb0N.exe
"C:\Users\Admin\AppData\Local\Temp\45cb5b26400a4cec483427e4b4032bb0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Windows\SysWOW64\Dmcibama.exe
  C:\Windows\system32\Dmcibama.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\Ddmaok32.exe
    C:\Windows\system32\Ddmaok32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\SysWOW64\Dfknkg32.exe
      C:\Windows\system32\Dfknkg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3084
    - - C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2368
      - C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 404
        15⤵
        Program crash
        
        PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4496 -ip 4496
1⤵
PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
75KB

MD5
dca16eb20c2c4cb05334223e46a24ab7

SHA1
bcb0e65b9037362a499fa6bec6c4c687ff0762e4

SHA256
c23cf756d284794d744536395abae34979accfa8b61e4e507f285afea71d514f

SHA512
2697f408fb76ab942d2d8d850fd16a7b5c28ad0158042e87e95be442f7f90b1bf25185a21a6a006a1fc8bdbcb78e7b49a4b406d65d8a4719bead3dcff3317ee3

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
75KB

MD5
3d3336ec4385b3e62d62fb2ff693352f

SHA1
147f2b5d6fa3219878ec37a05e0abb09f1ab9a84

SHA256
e325c3cdf90b2cdbc56bf2a03cdf2666a4d01a1494937f91198374f68190ec40

SHA512
620ba56fca81252a37f94e80445d97b80aceed219456d02704f16a27268cfcb27e3c66b521a559a8177281f8f3d3bff0baf94a96d57d1beee880bb7c1f0444d6

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
75KB

MD5
dac04f7bdad6d42e53d02804f0788ad3

SHA1
a787ff9b1d6c3f7dbbd449450093adf68549ef70

SHA256
ead969fc490e9ef47bcdba6fdd3bbd197d396353b831ef9c6e533fcc4c4f4016

SHA512
3e123e6d06a8d13bfaf198327ea5c73c9a78cad301b1d9be25d86eba4a97908784a3c431701887833f667e10064ca70e19f0b4475533345550c9f35e16a3cec5

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
75KB

MD5
bd027f6738a8d338e6b23663737f6810

SHA1
66d1a265986ac40802aa36ad4a4c217b13068ed1

SHA256
004ceac9b48060e16c3765ac5b1d832572d239e6a626bc44a6826ad42432d89e

SHA512
8460d0c9b1483eefe9266b02eae64171e7525934f78a2effb064d9e683c4f13499e6fb82836f981c3416248b5207e55cd6c8df0b23337c1cd087f21820536ccb

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
75KB

MD5
c6ffa2c30e78a27e38454c8dd48e5150

SHA1
9fadd6e7263b9f65bf34bd38dd4bf418fb8a2bfc

SHA256
4a17168d2e7f21d3ce05c33ab16aa0ed1fcf10ce927217866fc2bf16ba841d5e

SHA512
8545fe616fc194f9a8c94228ddd87214c581f4f805df3fa64b7ffda72273baff0afe39610ff12114f8ddcb5fe45cfe3a9d799584ccb202c6cd033c8bb35e81b6

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
75KB

MD5
f556fec4bae3991d6956fe31d446c60a

SHA1
2fd200c7f07ddcc42cc47c40cd89e958943c2f30

SHA256
83f25191b1f43a99bc38aabd09149c36c0c43306c50ef74963ab09bf6250cc3d

SHA512
73dc301b38da56d84f0764556a26b0bb62d4428089c488b6f8ac714bffc75c755340603c018dc9d87ef7916bb5c5a491ef9019e75f50b986985016b16822721f

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
75KB

MD5
f67c678b73b5ea0876f6099366d9b447

SHA1
12034a4c8ee0bd0e230316fc04405a885deb5bed

SHA256
83505238c0dc4c1ef7375a43579731b369ea929120ac0622721a3bbbc985ec38

SHA512
54379e8110d72a4e35984aef6b1a3b3876e1ecf51403316290b5611ba4535b5a0c6502cd2d3da7d073ea806e276b2ad9c02a8ad99de3794870e2a9008bf23e91

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
75KB

MD5
48a8b71f3b52f93bedbc1bdf92db1de0

SHA1
10bae295ff13025f3de16a8d8246c242fc470725

SHA256
f06fda5437c9976acc649cef44c465072c0764baa3fc94f184ceeb84b84f8658

SHA512
d611d89cff63d4819054f0befa9fecf47d62a0290af2a63537d860ce114d53e8667cbf7394bf460bb7fbd79990ed43117e0a41e3a4d72d5e5f9f980e024bb466

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
75KB

MD5
d96042a00464c7dc4b1202ea944859bc

SHA1
6b3f75500fc937f1394586a257933212d17a7bdf

SHA256
157b59d9caa6a3086911fecd74fb1f93d1386e4c62871aef957f5d9dcb980452

SHA512
1a1223dca34188218a6d37b8b16423de13e372a67faeef0f8328f1be467fcff675ccf81589b9353182fd0f1b0cda8a328995f152e638981493b8fec3c7fc51ab

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
75KB

MD5
6deace30195cede2a93056a6d7173fad

SHA1
3f60ad07f35a4d1bca9c2eee1e7202cd7f558df9

SHA256
1419680b478edcca62d3b0e0cfc0267595724aa4358e7ecc1845d30cf835cf29

SHA512
0833da531c600723830c4b97b1a8d802a7d7664a6024764eaea452da0d5d04695ee0739867aa234a661859e0808ff567008e6048ec18cc413564e63c29a242a5

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
75KB

MD5
000c73a3145d33ea9ef52e91d2ed9afe

SHA1
48b364ef36553cf5691dfbeb60a1aab2dc079381

SHA256
b2530e2175c433225479e445a83da9f510b0c1d2f312b5249ad1861228413e91

SHA512
b2daf93c164e547abd4eba625b13952a2491005a1ccbb02fa64f7e291ea7d3ae525538b02b812ab532a1e4a2b8cadf69ca56a66c669f9822f22b1952a084966b

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
75KB

MD5
d7a66bee1165f6e65925c633c5843736

SHA1
9425444f216bce869a262af699b8669ffdd94d4d

SHA256
23eba8f72244e4e8b323d9b2ea33f8f2331377d9bdfa805fb916daf38bb800fa

SHA512
9cbd369526566f7fa94b5a68e31b9fc2ec569cb831b35d2c406b2a761f095fc513d6c1f05538ac3f8fe5eb485e546b602bb1509fd844f01ea0cd9c2463313f53

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
75KB

MD5
30aeb0d5855462375226b14cdb2598f7

SHA1
cf1cfd331128e1298da02160ce0abf745aea06a9

SHA256
f6cb231182f87d795c2795fddef94cd8aa32ca0ddbd1fd16e1ce17b5cf15bf18

SHA512
df1171c4706cc12e2e18ba19015c1c60137f8eedf276f5346f99a25f42be31b2a4482a5db93c98778c22c8ac8384f9bb394fd9f40e2f084ba5eaa910bd0910a0

Download Submit
memory/400-109-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/400-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2368-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2368-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2716-118-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2716-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3000-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3000-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3012-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3012-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3048-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3048-112-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3084-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3084-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3128-114-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3128-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4288-110-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4288-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4292-97-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4292-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4320-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4320-113-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4408-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4408-119-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4408-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4496-104-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4496-106-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4912-111-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4912-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads