4ec72e1440b374cdbfcbaa9708211347dc22a5710a24fb80863eb4a5e6b83d36

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ec72e1440b374cdbfcbaa9708211347dc22a5710a24fb80863eb4a5e6b83d36.exe
Size

85KB
MD5

574d4d7b8e2804fe1b24eb5f6e209f44
SHA1

6038ee0aac054fc00654550bfafac6d2cd950cfb
SHA256

4ec72e1440b374cdbfcbaa9708211347dc22a5710a24fb80863eb4a5e6b83d36
SHA512

03d515d9c76172726a14f968040f79b38bec6c6e1df76f03066e4e73306965b9840bdabe841341ccf73a3484b3ac0781cdb160540fa5b004fb19a6cf4a25f033
SSDEEP

1536:j8M2UJzf1+r7M/Xunnp2LH5MQ262AjCsQ2PCZZrqOlNfVSLUK+:IMLJzN+r7M/UiH5MQH2qC7ZQOlzSLUK+

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4ec72e1440b374cdbfcbaa9708211347dc22a5710a24fb80863eb4a5e6b83d36.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4ec72e1440b374cdbfcbaa9708211347dc22a5710a24fb80863eb4a5e6b83d36.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe

Executes dropped EXE 13 IoCs

pid	Process
4100	Dopigd32.exe
3088	Danecp32.exe
3084	Dhhnpjmh.exe
2140	Djgjlelk.exe
3420	Daqbip32.exe
4264	Dfnjafap.exe
1176	Dmgbnq32.exe
4464	Deokon32.exe
1704	Dfpgffpm.exe
4140	Dmjocp32.exe
4348	Dhocqigp.exe
1472	Dknpmdfc.exe
3500	Dmllipeg.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dopigd32.exe	4ec72e1440b374cdbfcbaa9708211347dc22a5710a24fb80863eb4a5e6b83d36.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	4ec72e1440b374cdbfcbaa9708211347dc22a5710a24fb80863eb4a5e6b83d36.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	4ec72e1440b374cdbfcbaa9708211347dc22a5710a24fb80863eb4a5e6b83d36.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
60	3500	WerFault.exe	98

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ec72e1440b374cdbfcbaa9708211347dc22a5710a24fb80863eb4a5e6b83d36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe

Modifies registry class 42 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4ec72e1440b374cdbfcbaa9708211347dc22a5710a24fb80863eb4a5e6b83d36.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4ec72e1440b374cdbfcbaa9708211347dc22a5710a24fb80863eb4a5e6b83d36.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4ec72e1440b374cdbfcbaa9708211347dc22a5710a24fb80863eb4a5e6b83d36.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	4ec72e1440b374cdbfcbaa9708211347dc22a5710a24fb80863eb4a5e6b83d36.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	4ec72e1440b374cdbfcbaa9708211347dc22a5710a24fb80863eb4a5e6b83d36.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	4ec72e1440b374cdbfcbaa9708211347dc22a5710a24fb80863eb4a5e6b83d36.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 4100	3132	4ec72e1440b374cdbfcbaa9708211347dc22a5710a24fb80863eb4a5e6b83d36.exe	83
PID 3132 wrote to memory of 4100	3132	4ec72e1440b374cdbfcbaa9708211347dc22a5710a24fb80863eb4a5e6b83d36.exe	83
PID 3132 wrote to memory of 4100	3132	4ec72e1440b374cdbfcbaa9708211347dc22a5710a24fb80863eb4a5e6b83d36.exe	83
PID 4100 wrote to memory of 3088	4100	Dopigd32.exe	84
PID 4100 wrote to memory of 3088	4100	Dopigd32.exe	84
PID 4100 wrote to memory of 3088	4100	Dopigd32.exe	84
PID 3088 wrote to memory of 3084	3088	Danecp32.exe	85
PID 3088 wrote to memory of 3084	3088	Danecp32.exe	85
PID 3088 wrote to memory of 3084	3088	Danecp32.exe	85
PID 3084 wrote to memory of 2140	3084	Dhhnpjmh.exe	86
PID 3084 wrote to memory of 2140	3084	Dhhnpjmh.exe	86
PID 3084 wrote to memory of 2140	3084	Dhhnpjmh.exe	86
PID 2140 wrote to memory of 3420	2140	Djgjlelk.exe	88
PID 2140 wrote to memory of 3420	2140	Djgjlelk.exe	88
PID 2140 wrote to memory of 3420	2140	Djgjlelk.exe	88
PID 3420 wrote to memory of 4264	3420	Daqbip32.exe	89
PID 3420 wrote to memory of 4264	3420	Daqbip32.exe	89
PID 3420 wrote to memory of 4264	3420	Daqbip32.exe	89
PID 4264 wrote to memory of 1176	4264	Dfnjafap.exe	91
PID 4264 wrote to memory of 1176	4264	Dfnjafap.exe	91
PID 4264 wrote to memory of 1176	4264	Dfnjafap.exe	91
PID 1176 wrote to memory of 4464	1176	Dmgbnq32.exe	92
PID 1176 wrote to memory of 4464	1176	Dmgbnq32.exe	92
PID 1176 wrote to memory of 4464	1176	Dmgbnq32.exe	92
PID 4464 wrote to memory of 1704	4464	Deokon32.exe	93
PID 4464 wrote to memory of 1704	4464	Deokon32.exe	93
PID 4464 wrote to memory of 1704	4464	Deokon32.exe	93
PID 1704 wrote to memory of 4140	1704	Dfpgffpm.exe	94
PID 1704 wrote to memory of 4140	1704	Dfpgffpm.exe	94
PID 1704 wrote to memory of 4140	1704	Dfpgffpm.exe	94
PID 4140 wrote to memory of 4348	4140	Dmjocp32.exe	96
PID 4140 wrote to memory of 4348	4140	Dmjocp32.exe	96
PID 4140 wrote to memory of 4348	4140	Dmjocp32.exe	96
PID 4348 wrote to memory of 1472	4348	Dhocqigp.exe	97
PID 4348 wrote to memory of 1472	4348	Dhocqigp.exe	97
PID 4348 wrote to memory of 1472	4348	Dhocqigp.exe	97
PID 1472 wrote to memory of 3500	1472	Dknpmdfc.exe	98
PID 1472 wrote to memory of 3500	1472	Dknpmdfc.exe	98
PID 1472 wrote to memory of 3500	1472	Dknpmdfc.exe	98

C:\Users\Admin\AppData\Local\Temp\4ec72e1440b374cdbfcbaa9708211347dc22a5710a24fb80863eb4a5e6b83d36.exe
"C:\Users\Admin\AppData\Local\Temp\4ec72e1440b374cdbfcbaa9708211347dc22a5710a24fb80863eb4a5e6b83d36.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Windows\SysWOW64\Dopigd32.exe
  C:\Windows\system32\Dopigd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\SysWOW64\Danecp32.exe
    C:\Windows\system32\Danecp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\Windows\SysWOW64\Dhhnpjmh.exe
      C:\Windows\system32\Dhhnpjmh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3084
    - - C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
      - C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 396
        15⤵
        Program crash
        
        PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3500 -ip 3500
1⤵
PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Danecp32.exe

Filesize
85KB

MD5
e872118b2227609579d21066e07898da

SHA1
24754104a72dfa57cb91175e072026f452233bc0

SHA256
dda91f2f034750b6d78ed229c4b639655b9fa4c468bf1805d353b27602e58207

SHA512
6230f520748a9c7a92e4e3c772b2c000d193f87a4b8a06ac7dd3dc42258813426713c656fef33dc4d80c422b06a32c0b8b37fc66155c552fb6a88a9064292eca

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
85KB

MD5
8eab649f035f44da7d819e1372802394

SHA1
e30a84b69191fea0e7e06243c9e6cab808b46dfc

SHA256
6006f3bc62ddafaac2b3c9ab7b621531c0826d93bff153591ca687548dc54a95

SHA512
d986bd488649cc6814527a79f41286efbe0b21bff5f89d7a47b4b8fadf1d1109b6be7492957b703b6e95b67e071a2fefad2153c7925d87c3f73ab5ddc520b808

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
85KB

MD5
fe061bf56afe42aa8e5fb67cceeb99bd

SHA1
06bf92ca95b8b155db93bad193987b20ded54317

SHA256
25a249424a436fc00083e4a7058e3483d4d0407e30795e69b6f6f67a01925365

SHA512
f17127aa92118f27310908b7359378cd40594a9063969d6295fc379faaa865d628a23d64a520572ee73e07ba66932c327040baf806f0e24130b876a92d79d933

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
85KB

MD5
4b6f04a2a751cf0afbe741c460072fc0

SHA1
f247872292ea1f782d41f6204e3b42e2d0a37306

SHA256
1713cbe2ee949c79964670d36754531c8c9b58071e3b88153916d25645f3ac1e

SHA512
ac680a86a8bd2865a3611ed80bc1543764999388ac190f08042ff5c004641ae8d44c50d2e41d1eb92ad050b86cd36c82e5422b2ebe17871282781bb3497e1dda

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
85KB

MD5
4f28fad3ab03e8655c0b79632cbfe68a

SHA1
84d101cbd76f9e0bd0bdea670f0a68dbfcfa9fd8

SHA256
3eaa2af112d96c1069fe1d9913b4625187517a326fa5a4492799295bf2de4a3f

SHA512
f8478b5de7341ebd9d43e37e86fa440cdfa88ad3744c9e8d2691379111f009e792c4553003c6f7e48d7234ed52fc72a4bc767ca8984d73e3e3c7db3569e1253f

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
85KB

MD5
436b8b2dc11b7e0657c7ad82b4956cf7

SHA1
195796df34f68cda9f468fc6eb080ff19fdd5c08

SHA256
0603e5d5e250d6c30e9e46598564d917b28ced3ab4519b47a3042ec1dcc69ced

SHA512
87f0820c111a042398d8141f29b4aa7d088e8dbcbd0bca20718017501dc5934fbe191535ee78f967f044489d4d4ffa3864832a4bb23f66ce016542c0ab927c7a

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
85KB

MD5
a23121cf2e2ffe73ea859f08a9f8bec9

SHA1
ac1e5f164d2d25f0597e5d527a40cce4a07a5f6e

SHA256
6058230562ea2338e05c3f90f4af59ae8574145085207ed16e86d97e76b85d33

SHA512
7013bb894888ebc3710c68d91be8f69990752291e3cdf226da70da281648f3ab694a7eecea472d3eedba9c37cd6fbee6a6318c7429abb6b75a26c8ea03699801

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
85KB

MD5
06c86f4330226cfdf4c61c6fab85828d

SHA1
bd70bc81576daf4de3f1516d7840861727c1927a

SHA256
5e46a45f184e918cc7d162fd1eba9cb50cbcfbaafe7cfb59a817aa08fa128681

SHA512
e4384bdbdac71751440813d304f87283ec68566397f552f2c8e56fe42b4e12a9a83ff31bb9ef09e90b7d2a9009a0c6da93208406251f194f73e6805295160d0a

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
85KB

MD5
a58c284000a22b5a6a58efff3b0ccd72

SHA1
69870d5c74560d21ec4a0addf451ea2299839f0b

SHA256
148ff611f0d2c9eef7f9ef5754e3eab4a014b081eba0f007a93f4e6f8cf615df

SHA512
c666bb5ebd13fc1788dfe39559ad3b89bd95a6dbe6281074053d82285fc80c87cafdb3ba50d7329e32875d612981b0fc3867b7ce68639d6d12708078cb8543f8

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
85KB

MD5
4e14413a45d81d5f6df61ace8c0383a3

SHA1
69e4333a5d838dc2bd08d3d8b0bdcf5d811c5d04

SHA256
4aa15e57656559b02f880fa1dfe0a5b13f22537c2356077e4f36818a879ecc99

SHA512
42900987b89d03ce3914a612de0334fadb272813b839876e2092e7e163935612d4a0a3bafa286424a236acdea99de6ef97cbbf6bd1c28139730c607470ac557f

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
85KB

MD5
008a6ed385322f955f94bafc894ddb1e

SHA1
60aa50b5490df7d570702a20065f0126767184db

SHA256
a95bf2a08781aa01bec3ebf86d11f1cff8a72ac5f0bdb9a72bd42e7eced5793a

SHA512
13575f5403cef8451fa5dbab3967d1efb586d42381d42b2ed6fbd52c1a46299e51e81d12c97b2708c76ed0157bba6f2f5625d500c4579ececc12039e34edfe49

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
85KB

MD5
c81a553777fbdc4c91f11075ee15da41

SHA1
311d42737f26ac184d4b573f8e0189c42f9dee43

SHA256
17ca3da3fbb5f0118dc36dfab2c05fb4e286e89b91a35f32ed6b4ccb99056111

SHA512
bf3644ded26f73f481a588c4132579f1bab66d8a3f434ec50c43b92d6e79fc766d61f40de139be2e5017f520d1e353edb71c20232df440f38f32e2aba417872c

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
85KB

MD5
c29365b0b2422bf5edd1481c67ca7e49

SHA1
8bc2a47afb25296f97c8c191a37c1985542f9ec4

SHA256
a5eaf973caf7763a981bab283c83960f25aa266c9a43cf197284913c47b80897

SHA512
60b9fc9e0a9f5848fb80cbd5828afa47ed535a3bfda86c3aff5d1ef7f08235a496dabc226992da9be0a71e035263ab5a38400bb70a465718fb6272d5e99c0e98

Download Submit
memory/1176-115-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1176-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1472-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1704-74-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1704-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2140-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2140-110-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3084-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3084-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3088-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3088-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3132-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3132-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3132-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3420-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3420-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3500-109-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4100-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4100-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4140-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4140-113-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4264-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4264-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4348-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4348-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4464-114-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4464-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads