4e647d86f3e781c4568403509ce8cdb154596395782b7ca97d981d792dc24959

Analysis

max time kernel
104s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c9a49bfa6ca54aadf2e9a2a250ae960N.exe
Size

128KB
MD5

7c9a49bfa6ca54aadf2e9a2a250ae960
SHA1

5bc7f41302d7b80f8347ca62ff53d55cb0611adb
SHA256

4e647d86f3e781c4568403509ce8cdb154596395782b7ca97d981d792dc24959
SHA512

cdd59c57eebdc5b0e35b737e081a789ff49dd62fd971d96544059476e62eebf5351c0f5ee9f4e20b7b70b0e9bfc5c47c1c69a79d56cb64c2b9bd324d38f6c657
SSDEEP

1536:wnumUv+IpBd5m/cSFxH+xJw9JnRdhLgkRQDEwRfRa9HprmRfRJCLIXG:wnetpBd5m0SDowDR/0keD15wkpHxG

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	7c9a49bfa6ca54aadf2e9a2a250ae960N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7c9a49bfa6ca54aadf2e9a2a250ae960N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmgbnq32.exe

Executes dropped EXE 10 IoCs

pid	Process
4100	Ddmaok32.exe
4864	Dfknkg32.exe
2672	Daqbip32.exe
3432	Dkifae32.exe
4264	Dmgbnq32.exe
3608	Ddakjkqi.exe
3008	Dogogcpo.exe
556	Daekdooc.exe
1704	Dgbdlf32.exe
4816	Dmllipeg.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	7c9a49bfa6ca54aadf2e9a2a250ae960N.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	7c9a49bfa6ca54aadf2e9a2a250ae960N.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	7c9a49bfa6ca54aadf2e9a2a250ae960N.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3208	4816	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c9a49bfa6ca54aadf2e9a2a250ae960N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	7c9a49bfa6ca54aadf2e9a2a250ae960N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	7c9a49bfa6ca54aadf2e9a2a250ae960N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7c9a49bfa6ca54aadf2e9a2a250ae960N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	7c9a49bfa6ca54aadf2e9a2a250ae960N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7c9a49bfa6ca54aadf2e9a2a250ae960N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	7c9a49bfa6ca54aadf2e9a2a250ae960N.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 4100	4448	7c9a49bfa6ca54aadf2e9a2a250ae960N.exe	84
PID 4448 wrote to memory of 4100	4448	7c9a49bfa6ca54aadf2e9a2a250ae960N.exe	84
PID 4448 wrote to memory of 4100	4448	7c9a49bfa6ca54aadf2e9a2a250ae960N.exe	84
PID 4100 wrote to memory of 4864	4100	Ddmaok32.exe	85
PID 4100 wrote to memory of 4864	4100	Ddmaok32.exe	85
PID 4100 wrote to memory of 4864	4100	Ddmaok32.exe	85
PID 4864 wrote to memory of 2672	4864	Dfknkg32.exe	86
PID 4864 wrote to memory of 2672	4864	Dfknkg32.exe	86
PID 4864 wrote to memory of 2672	4864	Dfknkg32.exe	86
PID 2672 wrote to memory of 3432	2672	Daqbip32.exe	87
PID 2672 wrote to memory of 3432	2672	Daqbip32.exe	87
PID 2672 wrote to memory of 3432	2672	Daqbip32.exe	87
PID 3432 wrote to memory of 4264	3432	Dkifae32.exe	89
PID 3432 wrote to memory of 4264	3432	Dkifae32.exe	89
PID 3432 wrote to memory of 4264	3432	Dkifae32.exe	89
PID 4264 wrote to memory of 3608	4264	Dmgbnq32.exe	90
PID 4264 wrote to memory of 3608	4264	Dmgbnq32.exe	90
PID 4264 wrote to memory of 3608	4264	Dmgbnq32.exe	90
PID 3608 wrote to memory of 3008	3608	Ddakjkqi.exe	91
PID 3608 wrote to memory of 3008	3608	Ddakjkqi.exe	91
PID 3608 wrote to memory of 3008	3608	Ddakjkqi.exe	91
PID 3008 wrote to memory of 556	3008	Dogogcpo.exe	92
PID 3008 wrote to memory of 556	3008	Dogogcpo.exe	92
PID 3008 wrote to memory of 556	3008	Dogogcpo.exe	92
PID 556 wrote to memory of 1704	556	Daekdooc.exe	93
PID 556 wrote to memory of 1704	556	Daekdooc.exe	93
PID 556 wrote to memory of 1704	556	Daekdooc.exe	93
PID 1704 wrote to memory of 4816	1704	Dgbdlf32.exe	94
PID 1704 wrote to memory of 4816	1704	Dgbdlf32.exe	94
PID 1704 wrote to memory of 4816	1704	Dgbdlf32.exe	94

C:\Users\Admin\AppData\Local\Temp\7c9a49bfa6ca54aadf2e9a2a250ae960N.exe
"C:\Users\Admin\AppData\Local\Temp\7c9a49bfa6ca54aadf2e9a2a250ae960N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Windows\SysWOW64\Ddmaok32.exe
  C:\Windows\system32\Ddmaok32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\SysWOW64\Dfknkg32.exe
    C:\Windows\system32\Dfknkg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Windows\SysWOW64\Daqbip32.exe
      C:\Windows\system32\Daqbip32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
      - C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 408
        12⤵
        Program crash
        
        PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4816 -ip 4816
1⤵
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daekdooc.exe

Filesize
128KB

MD5
4f64ab581538b4d2c84695c04578b6aa

SHA1
96688a822cf64698e68b333d1583adcf84f61232

SHA256
45130e263b36e637c50c7d4fea348b7ee55afaaf6c2eee00bb55ddfac37c69b9

SHA512
3be4fec5d4d73f668092672b007c8a100b96c9be8109ec40db6252c73c38c22f14d1d1baa0cb785bfd58a332c8520c87b5d302504e43d5a106893f2042febe2d

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
128KB

MD5
a3b6efac0123dc2d2e949848c645420c

SHA1
a67ae2000e167052de4282d0eff9d9f376820f6b

SHA256
eb9f7ff9bad0f3f9766bb6e52005a2ea93f311a3bc8a08b5d23d694ad4ee76d1

SHA512
34ff87aa6004beac4cab183d41b657931e11cc97b8e412c18c56a448768236e7d017698ebd1c431ae1f47cd3b98e2463b0b20c509f7277f6e26ac4c34608c470

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
128KB

MD5
909cc0b3b7a969ca6a695ec7308a9fe6

SHA1
4d031baa2f3cdc923b7a4ef6c5209a226bd2bf59

SHA256
c4721be0b390d54691ebd541b1189d5c7d9711248fbff0a608d3a6afbaf5369a

SHA512
d51effa1540631ed1ccdab634ef929e85a9695fcbbb4b49a639e9ede0d5704d96d62be2cdeacdfe98577d90602c6879bedfdaebe1f2fd1cd2b6a26ca9d3590d0

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
128KB

MD5
c617c66a4f381219e0bbe419ae935bbe

SHA1
fecc396a292c404441e92d7fe8d5709fc5a48cf8

SHA256
843b0aed52b7dbb4146aeea1ec8298107753ec87d9be3a9754929ae1388686b8

SHA512
9daee19729d990e89a4c97bee8121d6bb33281ceca39e061df8d06ceab157a56f1fb4f58887e31bc75607d2dbbd89ea7c5a1d92aab54d3b46a3219d25b18bf1c

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
128KB

MD5
056baae463a1b2435908bf5d657397f9

SHA1
1717763fed6748c45bfa7d96962efe45cc131975

SHA256
7a10d76409c155dddad8e0175477f2420ee218be1b31c1f4d85f37ac8ad333ea

SHA512
eaa87e1bc30844b3f78afe808fe193d523c0a99743219461a0d2d02b961e677de58245d804bf52538e6b956d448c94096eed40b4c1aca89c539fa1692d4c2735

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
128KB

MD5
772f933e47210698c2a43779a2e1d771

SHA1
5a2bcb8cee484f3493fa46b6269272a27daa094d

SHA256
571a1c3e2e1e7e6b5e5ef779a09874872c0fa222cd1cc5b9b19c53fb789117fc

SHA512
4eec8f10488df2bb993cea19d01b89e5da92b00fe0a51f3b57a8559a88ff8d06583eca32ee012c41dea48ef9958311f7b29adce8416304f1b948b8012dd59f98

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
128KB

MD5
3428c61fac0205b245ef3fc6fcf2afcf

SHA1
aff52ad2d84fde3718e3e972f461f55670ac3fcd

SHA256
226b59d8ec5b7f0d4c14b15fa6a727fb90d2321612d89c27475a0ec838c470c6

SHA512
22c50a9b15c62881dfbd428219429d421d9afc73a5a17a10cf5832c9aae1f5ce6aef13011deb83229357227e0899ff7b5225d5f2d4cac61925bf7059f1001667

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
128KB

MD5
1674f9ce899a4e2be6a735bec1b15676

SHA1
f08a2a45359148672af6788fa1b92120c7747518

SHA256
ac97239f3131ead3f1198c9922812400d03d1cca3754addba3eba3f4e76dda60

SHA512
8eb2dce363f2c20baeaed0bad359c95d5343ebffd0069cdeea486ad14bbf22b6e5c92dac42340396cbc37e2e2d55d3d56af53fa5d9d31275c144331c1ea7c38e

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
128KB

MD5
6b1933e523b264a7a31be0c546b967e3

SHA1
8c35747e639d3bbcead03d13d138f7b2fac48bd1

SHA256
99bebfae93f143fbda2525bb7dbf5ee04cd799c21e593d7ad0e878f1261b6094

SHA512
ebbee0c4e5466fadcf23185ca8f393a5c827789e24337c638134d402f508b18a5617add7e4efc640c4a32ce80042333820947e479c316e7ddc88c57e1ca1593b

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
128KB

MD5
a6df732e9c78da9b797af8a723212018

SHA1
78634c6e3b24508cc919531b0191a6dafcd35174

SHA256
ef39b921ab6d5f283d5b09ba4ea6fdb51080dff932a3e6c726e81d25ed0ce971

SHA512
a7c3a2e5547cd1278e22261e1c467764392e12a55689fdff17347065c119b4fb1d9f6378b0ecc27bbabf33bc0990464f9ba6207e034630904b458a17c0766868

Download Submit
C:\Windows\SysWOW64\Ihidnp32.dll

Filesize
7KB

MD5
28df198c649799b6e5afcc8168bac965

SHA1
aa422926d1c83c269b39892c7cc46309f708d004

SHA256
ebafd16cbc01a8502c3fa7fbaaee8e49c2d1845a3ba4ae2b73dfa08712429ed7

SHA512
c2cd0b6f4e0a8c861811dbd478bce1a4e7fcec4e158a5505e1022c2f3dd2eeab367a7c208d6b8541ae7ed4dc1b545660e2dc3807570d6df0482d03400192f202

Download Submit
memory/556-83-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/556-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1704-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1704-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2672-87-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2672-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3008-84-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3008-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3432-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3432-86-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3608-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3608-85-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4100-10-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4100-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4264-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4264-91-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4448-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4448-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4816-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4816-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4864-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4864-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads