Overview

overview

10

Static

static

3

a8cbc0b314...81.exe

windows7-x64

10

a8cbc0b314...81.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-09-2024 00:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a8cbc0b3143086a328d8b1d1e24cab47267325dde3cae692302b6705fe4fb681.exe

  • Size

    67KB

  • MD5

    42499d22801c26b9c187e0fd47e1ec54

  • SHA1

    265f9f55fba58dba31350740aea46b61710ad5bf

  • SHA256

    a8cbc0b3143086a328d8b1d1e24cab47267325dde3cae692302b6705fe4fb681

  • SHA512

    e9cf5f1fa42763e4a39ab2828def1e16bf5273552263e390f13f0e1422f670d6fa47e79b4c9985a724a6f275161d7402e2ed8d24236f45940d08e977bf058ea0

  • SSDEEP

    1536:hc2B98P9MK9m3RLrk6BjVIqpvpLB4T44X1Ap4IlneAoXq8KRQ3R/Rj:VB9Wj0RLrHBXpvZBC44FhK+Qe3Vx

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs
    persistence
  • Executes dropped EXE 14 IoCs
  • Drops file in System32 directory 42 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 45 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8cbc0b3143086a328d8b1d1e24cab47267325dde3cae692302b6705fe4fb681.exe
    "C:\Users\Admin\AppData\Local\Temp\a8cbc0b3143086a328d8b1d1e24cab47267325dde3cae692302b6705fe4fb681.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3612
    • C:\Windows\SysWOW64\Dmcibama.exe
      C:\Windows\system32\Dmcibama.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3948
      • C:\Windows\SysWOW64\Ddmaok32.exe
        C:\Windows\system32\Ddmaok32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4428
        • C:\Windows\SysWOW64\Dfknkg32.exe
          C:\Windows\system32\Dfknkg32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4604
          • C:\Windows\SysWOW64\Daqbip32.exe
            C:\Windows\system32\Daqbip32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:4820
            • C:\Windows\SysWOW64\Dhkjej32.exe
              C:\Windows\system32\Dhkjej32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:3564
              • C:\Windows\SysWOW64\Dkifae32.exe
                C:\Windows\system32\Dkifae32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:524
                • C:\Windows\SysWOW64\Daconoae.exe
                  C:\Windows\system32\Daconoae.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:5112
                  • C:\Windows\SysWOW64\Ddakjkqi.exe
                    C:\Windows\system32\Ddakjkqi.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:3452
                    • C:\Windows\SysWOW64\Dhmgki32.exe
                      C:\Windows\system32\Dhmgki32.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:1372
                      • C:\Windows\SysWOW64\Dogogcpo.exe
                        C:\Windows\system32\Dogogcpo.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:2988
                        • C:\Windows\SysWOW64\Daekdooc.exe
                          C:\Windows\system32\Daekdooc.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:2444
                          • C:\Windows\SysWOW64\Deagdn32.exe
                            C:\Windows\system32\Deagdn32.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:3648
                            • C:\Windows\SysWOW64\Dknpmdfc.exe
                              C:\Windows\system32\Dknpmdfc.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:3736
                              • C:\Windows\SysWOW64\Dmllipeg.exe
                                C:\Windows\system32\Dmllipeg.exe
                                15⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:4908
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 408
                                  16⤵
                                  • Program crash
                                  PID:1964
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4908 -ip 4908
    1⤵
      PID:4248

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Daconoae.exe
      Filesize

      67KB

      MD5

      bae01bbeb807192ca5112b35179ac52b

      SHA1

      2a4442d228031a9e995c10bc7d1e7df6c65b4672

      SHA256

      b678e2cc5db20bdc108ceae8ef79d9684c8cedf8b3a95382fbb50f5c663ab880

      SHA512

      c3ea7af12cbe9d5b29afceed0a67ac69a03691b448827cb4954d05d3f211b7440253286c1ca7dfbc1def80c21084e36da73eace8be1cee75d8613bf602d06a8e

      Download Submit

    • C:\Windows\SysWOW64\Daekdooc.exe
      Filesize

      67KB

      MD5

      2902f5a3b66ac054e1b129d33276e34a

      SHA1

      458b2d4443edaa385ac7f28831a551ed7fc4a1bc

      SHA256

      7b8bd89f09cd7dd4b1d50a70a5346140b7d884eea6bf957f3c5bf4e06453834f

      SHA512

      494d662387c9c16fc521e545f7259fab15bae0bea10e37844b73e94c22a8efd6046e0f4e4bb906b5fe340001c278875ee13d94cb89cf1ad40c4c8cd1cca06b04

      Download Submit

    • C:\Windows\SysWOW64\Daqbip32.exe
      Filesize

      67KB

      MD5

      d679d35a52e6c1b855c63b41632d6364

      SHA1

      7ee4e4bb94ae08fed0e5fbf2838f1a666264924f

      SHA256

      8e9a233bd9d89fa2a850c962bb8bdd523d6676dfb5411dee079c4ce807b1c2d8

      SHA512

      3d5a565786a641c299b0f82d8f4e5b0aa40dc67828fb8eae09999d4d1db700446d4dd239c0befb8437a184d7ee977ba5e4a6f0d2841228fa2899ad78aa389e3a

      Download Submit

    • C:\Windows\SysWOW64\Ddakjkqi.exe
      Filesize

      67KB

      MD5

      edd0f6f37d9f092ef4d978cc8c770479

      SHA1

      0dc19de76d4ef19933d17e0bf7c2a76d3bd0e0ec

      SHA256

      b073942bae3c1eb350e6a7adc457f59144870aef99536d05f656bb7d378f4a17

      SHA512

      0d7172b0b2374c4abb09528d7f35c662a62c79609616eceec0e2f426bc4b6db12428045d4fed5e2b7ecd55dfa15dc02b3785d7171843310ff3815b0e1665ccec

      Download Submit

    • C:\Windows\SysWOW64\Ddmaok32.exe
      Filesize

      67KB

      MD5

      782b5e28b49d96758390abe07bceee1b

      SHA1

      61a4930be12c7e1528cdc53917c2dcf38b69b3e8

      SHA256

      a413ec9b6f4a1bb1bd78d8701fd94838efe11b5e2a6fbef25e082318c21ec992

      SHA512

      6d2f989255b16999b21c59f68ec97580cc32a6f5c34bb5834a15ebc6cc800e740938ef9fe1a2fc409dd05571a9eb3457547825503456f7474164195b1f3aa9c5

      Download Submit

    • C:\Windows\SysWOW64\Deagdn32.exe
      Filesize

      67KB

      MD5

      cad1e762ea76952942bc8d13cb941bed

      SHA1

      792efc34f96f58abf9defc4494123a951ec1323d

      SHA256

      5d37542a276caa03616f327fd562c3bdf91c6b9c4963f7dbf95b6ae3b0c59988

      SHA512

      9d304286b225672dfa3a54c2b21fc8a135a1624678d1f048ccd1554d51557746309f2465cfa1b6254874363aa546cc41706eaf4f6b93677b5cf0e52607657c4c

      Download Submit

    • C:\Windows\SysWOW64\Dfknkg32.exe
      Filesize

      67KB

      MD5

      c12fa1b6af558178f12bb8a94491baa4

      SHA1

      13d3efb19714d0849622a4a1a5629692bcacbdac

      SHA256

      8ff1f2ad0e5aa8a3a8b48008d7104a2484cfdf835ad81f8cf9e6f15f3d64d991

      SHA512

      34ecc9392c15ddfdaf958c68be5fa32ba49c00d08a76499754293f46e0650e374bf412f7b5434d1a1227937d36575f257f98c6cd534b4c73b10e901ed739dc83

      Download Submit

    • C:\Windows\SysWOW64\Dhkjej32.exe
      Filesize

      67KB

      MD5

      b83a42285ec2055983d10b2ef3ea8413

      SHA1

      51e40477373c04b2fef92807db514c446f1d3fac

      SHA256

      021a1df83754c82d56cbac989a83661f8123f204c8c5cfc39ed9485f689d90bb

      SHA512

      733f1f9ae51500122c8b6654a22b13d79406161e39384ba5b3f03d6046b2482bb6a3ec82b4dee9344c616e620e93553c7c099c6995bee88e38bd5028e4142592

      Download Submit

    • C:\Windows\SysWOW64\Dhmgki32.exe
      Filesize

      67KB

      MD5

      aa118b782dee4401c1d03d65f9d36ae0

      SHA1

      df8be17b81f7d267317885305d4357e063cb3b4b

      SHA256

      d46c38d87e0557ad3b9c3890f7408d726f7c7ba61d3792858e66235ffad3f861

      SHA512

      030f66533ba8707cf0aa5ca57c19a6fb88149b2ed214419051b447d0e53bdded377cf82d1e491b10d7ce7c7c54c7ef3e81731378b59d2ddabf69a2eda9c3d0b1

      Download Submit

    • C:\Windows\SysWOW64\Dkifae32.exe
      Filesize

      67KB

      MD5

      f8357bc888c781c9d25e0a74fd9043ff

      SHA1

      aaf34e3521c85acefdcf6f4d1464c8954866eb00

      SHA256

      7abc2ab0668ff72f8f8a1daa7b8f3888bcdfd606e4018d5e2f8036f1894d9605

      SHA512

      1e4a612895257d0e09a197f1e71192ff4044ad6f6e3ce995ffa1b74c4a8c043c0e41bb2d95a61053f7c989c41a562fdf493cd4dcc165602104a7fe728552e889

      Download Submit

    • C:\Windows\SysWOW64\Dknpmdfc.exe
      Filesize

      67KB

      MD5

      d8147f5142482808c68b05cd061355c8

      SHA1

      b4293e94f2a0baa3654a69b6ccca3120e9d711c9

      SHA256

      8488d6eaf2776b5d8594d6c53e57ab4ac1d8d8e45a5b7c05965b9b80cb50338e

      SHA512

      0137de01924b901a20ab79bf79e9091391f5f6dc369155a261297f4b2dac04a20c2a1c6157127153af86a2da8a1baceb0c839fb94d3cd647eb2bea41ef628608

      Download Submit

    • C:\Windows\SysWOW64\Dmcibama.exe
      Filesize

      67KB

      MD5

      d468c2ee71ee2b6ed04b15899781a6db

      SHA1

      1e7a237ca5cea69484a110662088260993ee13ff

      SHA256

      b8934bb085d5bd2e61ab3abc0c93bc26c5b91133178ead1a42911742833aaaf5

      SHA512

      f5965faacd0071f2813accfc61e577edbdb422e5932fa22861bd9a4c201905de50351207601d6126c8128bf53cb61454d6c7ef61a47778835ff980ff4292c1b2

      Download Submit

    • C:\Windows\SysWOW64\Dmllipeg.exe
      Filesize

      67KB

      MD5

      67b9b3c456e204e74f7519ac430c840e

      SHA1

      e5b9158fbf17772327951f7b87c83cdda0ebae26

      SHA256

      f8b6364ca8c1c652ca7f3cbdb1962f40f7b142368bcf69775b1bbc23703052ef

      SHA512

      520fa64bf5fa52819acb437d43c4981d2035d0a4a7b8b32699cbbc4df84cb4b3d99a29429ed33eed83823b6f90cf789247e53d8ac491e5226e9d64382158dfd6

      Download Submit

    • C:\Windows\SysWOW64\Dogogcpo.exe
      Filesize

      67KB

      MD5

      3432e64c8c31df77078e1031719bc7c2

      SHA1

      9334648fd4762ec33b8f21dab46cfb6e830e4e20

      SHA256

      25a90ac6ce679d1d358999398ce4685a2851534bac0aa6813095d7ce4ab91621

      SHA512

      e0c20d506b5623faf1e1405438cd689707a824f0e0d859d4889703539426e59deed473ab26a7a850b6eedd5bb94c92cf37e052320e71c1d13dff63d0450935b2

      Download Submit

    • C:\Windows\SysWOW64\Jbpbca32.dll
      Filesize

      7KB

      MD5

      371e2d38f164d249b0e2914914676432

      SHA1

      7e2e6aabe9d6577b807d99edf7eac0810ce3ad89

      SHA256

      d5f6cd8d1b8a4763813950c9fe3c64234d6855c99ad150a52c68097285f7f7b7

      SHA512

      78bbb9055f381c5ed91ba5c44a29ceaff8fff0c6fe9f74341b659a535d8981d34781bc651015677b4e7ccd8b3e7f341595592bcf64060bf3995132ecd0f27fca

      Download Submit

    • memory/524-47-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/524-121-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1372-118-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1372-72-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2444-87-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2444-116-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2988-80-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2988-117-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3452-64-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3452-120-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3564-39-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3564-122-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3612-127-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3612-0-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3648-95-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3648-115-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3736-103-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3736-114-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3948-7-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3948-126-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4428-125-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4428-15-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4604-124-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4604-23-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4820-31-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4820-123-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4908-111-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4908-113-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/5112-119-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/5112-56-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download