Overview

overview

10

Static

static

3

ca90c1f623...8d.exe

windows7-x64

10

ca90c1f623...8d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/09/2024, 01:48

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ca90c1f6230e8603d1bf318e1372452e58cc93d800f9098eeae037720a5e408d.exe

  • Size

    1.3MB

  • MD5

    ef3c2cfc2eba61535a38d487a0ea253f

  • SHA1

    9197482ae9105e309e394bbfcc91f9e2d76a0553

  • SHA256

    ca90c1f6230e8603d1bf318e1372452e58cc93d800f9098eeae037720a5e408d

  • SHA512

    8e0d5f129bad09d107ea320471270b3732d49a351e669afa5871b7d75c5f63710a2e4c7f94b5841c1acfd39bfcc92c261c56fed76e2665962926690c735f263e

  • SSDEEP

    24576:rH8yNPh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsKv2EvZHp3oW:rH8yFbazR0vKLXZ

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Drops file in System32 directory 12 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 15 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca90c1f6230e8603d1bf318e1372452e58cc93d800f9098eeae037720a5e408d.exe
    "C:\Users\Admin\AppData\Local\Temp\ca90c1f6230e8603d1bf318e1372452e58cc93d800f9098eeae037720a5e408d.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1436
    • C:\Windows\SysWOW64\Dejacond.exe
      C:\Windows\system32\Dejacond.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Windows\SysWOW64\Dfknkg32.exe
        C:\Windows\system32\Dfknkg32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3000
        • C:\Windows\SysWOW64\Dmgbnq32.exe
          C:\Windows\system32\Dmgbnq32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2012
          • C:\Windows\SysWOW64\Dmllipeg.exe
            C:\Windows\system32\Dmllipeg.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4444
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 408
              6⤵
              • Program crash
              PID:2572
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4444 -ip 4444
    1⤵
      PID:4480

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\Dejacond.exe
            Filesize

            1.3MB

            MD5

            d2e6d0b0c97d093c46c9285e273c301f

            SHA1

            832707eacb8fabe3bd5884733890c7f0b1cbb282

            SHA256

            bbf11ce1fc388858fba682285c24d4b26edcbf89704891c4148e166ff11cee3b

            SHA512

            0ed79e926c4d08442acd750323f788f11c2338c32c326e2ce3af574e2d275b6134292a5cd0c6af2caabc8736c3be7a6106338dcabce293498905332aebe64619

            Download Submit

          • C:\Windows\SysWOW64\Dfknkg32.exe
            Filesize

            1.3MB

            MD5

            f26b3feac67c199b8ccbc4f8eed1f260

            SHA1

            39de371b7a91f6d7e7997cc57a17d274d91f7218

            SHA256

            408ef068a8ebadc7b340e8da849c9a35f62e91dfb4c96b0d63e71c3c071cf488

            SHA512

            885bc0eada0f96002fd7af40fcb8b7ba11f8a13c8788dbdff74393b536832df9cf025d2f7ea3834e8c2e05a4ead049bd19568d56e896e773f2d422e1e3f864fe

            Download Submit

          • C:\Windows\SysWOW64\Dmgbnq32.exe
            Filesize

            1.3MB

            MD5

            1a3f764d3db64048dd3b7545fa508150

            SHA1

            dc169a2df3fd8e93ea3400db94ad68cd04d7f7c3

            SHA256

            597d269cb7dabccdf3a2d31536926b71485f294c92caa05558666451849bf333

            SHA512

            5b5fd61839afee23488dd6659de2a2927d0ec5cbec7818908b11384b9e11080e3f24fcdf80ff26ee057e9b8b1c721e7f5f9c906f9358d2c977f5ef75a0941ad2

            Download Submit

          • C:\Windows\SysWOW64\Dmllipeg.exe
            Filesize

            1.3MB

            MD5

            f3028fcbc84e871c2fa28935d5c39b6e

            SHA1

            14986163f0ac1445ee98fcaa8681f88e737e6145

            SHA256

            380509263516e3fcfc16fac976e97952dd9fa5acf1113e08f999d5bf5e13ac5f

            SHA512

            9c28a0fb2796ba033d503b77b8d49f08538f96f27a9ac55873b9ec8fe57fe0cf2f8b7fd2a03dabd5249ef9a6a3ec39144b1a23b5a9fe06d67e89f3670f5162df

            Download Submit

          • memory/1436-0-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

            Download

          • memory/1436-42-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

            Download

          • memory/2012-23-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

            Download

          • memory/2012-36-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

            Download

          • memory/2148-40-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

            Download

          • memory/2148-7-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

            Download

          • memory/3000-15-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

            Download

          • memory/3000-38-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

            Download

          • memory/4444-31-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

            Download

          • memory/4444-35-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

            Download