Overview

overview

10

Static

static

3

511c19c21a...0N.exe

windows7-x64

10

511c19c21a...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-09-2024 16:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    511c19c21a28a4d008bd713683c64720N.exe

  • Size

    74KB

  • MD5

    511c19c21a28a4d008bd713683c64720

  • SHA1

    8daa062b7ab3c77c5db9d2802e3ad03aae5ceac8

  • SHA256

    e1a63d788c3c486d0914279edb9e156946a5a397043cb7641b44800a15268d5a

  • SHA512

    95268cb88f8335831acfba514990e76505f713176ade806c85864ac8f3f2d1ed855994b5f4a98ebe14895cdd1ec1e23c94e1bb772897de321358cf35f69ca3a2

  • SSDEEP

    1536:/cF81e6FPDZb56JkA1BEwMxlNxdN7GcXqyUooZXO3NIHPicyqGU:/GSsJkplBNKQq9Xe3OvoqG

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs
    persistence
  • Executes dropped EXE 11 IoCs
  • Drops file in System32 directory 33 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 36 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\511c19c21a28a4d008bd713683c64720N.exe
    "C:\Users\Admin\AppData\Local\Temp\511c19c21a28a4d008bd713683c64720N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Windows\SysWOW64\Dfknkg32.exe
      C:\Windows\system32\Dfknkg32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3228
      • C:\Windows\SysWOW64\Dmefhako.exe
        C:\Windows\system32\Dmefhako.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:952
        • C:\Windows\SysWOW64\Delnin32.exe
          C:\Windows\system32\Delnin32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:988
          • C:\Windows\SysWOW64\Dfnjafap.exe
            C:\Windows\system32\Dfnjafap.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:3568
            • C:\Windows\SysWOW64\Dmgbnq32.exe
              C:\Windows\system32\Dmgbnq32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:3920
              • C:\Windows\SysWOW64\Ddakjkqi.exe
                C:\Windows\system32\Ddakjkqi.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:4848
                • C:\Windows\SysWOW64\Dkkcge32.exe
                  C:\Windows\system32\Dkkcge32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:3448
                  • C:\Windows\SysWOW64\Daekdooc.exe
                    C:\Windows\system32\Daekdooc.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:3008
                    • C:\Windows\SysWOW64\Dddhpjof.exe
                      C:\Windows\system32\Dddhpjof.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:3212
                      • C:\Windows\SysWOW64\Dgbdlf32.exe
                        C:\Windows\system32\Dgbdlf32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:5052
                        • C:\Windows\SysWOW64\Dmllipeg.exe
                          C:\Windows\system32\Dmllipeg.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:3476
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 416
                            13⤵
                            • Program crash
                            PID:1144
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3476 -ip 3476
    1⤵
      PID:2088

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Daekdooc.exe
      Filesize

      74KB

      MD5

      ba9210db590771af2bd43aaedf0e1ab5

      SHA1

      76fdbecfbf1362fe184e0bd58a2c260c9fffbb74

      SHA256

      b9f370b88e335906714afca9beecef3a48fa4cb12f9b380831e81996be8067a4

      SHA512

      2513c7d6cde82e024eb9d6675341281f9ab920574b43c6b05d8fbf356a4488acaf3568583be9e7228ccb6f54273809f41c405df1c5e05b5c947cc17a6658edf5

      Download Submit

    • C:\Windows\SysWOW64\Ddakjkqi.exe
      Filesize

      74KB

      MD5

      a753b2e597323f95bfa083db96d7abbc

      SHA1

      13cf2599b88686a66d49471a1787e0a00b4c4c95

      SHA256

      bdc53f1d8101617f837967c5717853b95746cbbf338c9313e3f19b3b7c70fc63

      SHA512

      4ebc48dc91d9d3fb5a8fac4c5eba899da75bda977eb4036c3b75953f8175c54c1dc8d14a594a0231bd15571ffeee0ea25450ca3adf3aa3ecd3367e2c11542f4f

      Download Submit

    • C:\Windows\SysWOW64\Dddhpjof.exe
      Filesize

      74KB

      MD5

      445a22f839840244145d4fca92f12898

      SHA1

      301c5f8418a2023f85f8d92f82968de34d555155

      SHA256

      01b295ea18114648f398647a9a39fb53c1ad995fca688aba418bfe976eb4386a

      SHA512

      d7617ee093c1b9b0e9d207f4b47e68cb8ed8b6d2b54e011af79b4d9f74e1e77b8aa10ee583300323ac2df9e5a8c1af9364691346e94411fca23e9c5affabcc33

      Download Submit

    • C:\Windows\SysWOW64\Delnin32.exe
      Filesize

      74KB

      MD5

      b7fbfb4b344b05b04f6a2a6cf6d4def9

      SHA1

      a53821ae63ce85392db69d0aaba1bd37bfd8a968

      SHA256

      1a1f0002a1271aca0e3d84ad395c036d4758d4d06da1a9a9eb03e3a7327a4d28

      SHA512

      7cb110cc07af17ae6927c5dd0270a6ef5b0729d6b4b076d928ce010b36e5620b9cf0295b776d8d99173cf012aa5a0c3b56ecf28b963ebdc3cca95e931f7bf58c

      Download Submit

    • C:\Windows\SysWOW64\Dfknkg32.exe
      Filesize

      74KB

      MD5

      e753305e96347a2dcca313e7dd8a1522

      SHA1

      c7fce8782a703eb295cb6fb841a38edccb49b6f9

      SHA256

      65daaac83e6b6acdf3f38a94195ee9bf29290f8acde476b28dddaabfc8e74e5e

      SHA512

      81ff30ecfd1099faf74e23ef0c8e4f1f1b064373372e716798d11205d2c542b65158da5cfbc045b07bce404b7c475eb969b3b0b8c82569986658509d25bee544

      Download Submit

    • C:\Windows\SysWOW64\Dfnjafap.exe
      Filesize

      74KB

      MD5

      fa7c500ed5db584919bfaac1e0cbb697

      SHA1

      fdb478ac38e06738d8eef32217a6806900b37ea3

      SHA256

      f2b391703c8bda7717c986c4b65d748f2721550259223d064490745cff52ac9e

      SHA512

      78a812224b86de8515d3f570c8cf16d31889ff66c74d547e54b470b18f401ddd9a3d4c8d9c509431a9fb64da26334c0c2619fc6d2845992c8b24e831c4446fb3

      Download Submit

    • C:\Windows\SysWOW64\Dfnjafap.exe
      Filesize

      74KB

      MD5

      b6f6ba493c574b634a684d811df703e2

      SHA1

      57a02ec95d12e254d11bbebfbaec41806c5020eb

      SHA256

      72caa8bd62f90fb3c59fd478030ca1eb063059dff5b94d6749c5dd3d8caab23a

      SHA512

      8f031912a1cd00d29849159c481a20eb9a19c7c64e4d525cae0422c4a545371aa308adde621d289bb0dfb9614658f996d5c19efbf5b02418ef287eb6e833ed62

      Download Submit

    • C:\Windows\SysWOW64\Dgbdlf32.exe
      Filesize

      74KB

      MD5

      1145424c73b2b598772548641e8215da

      SHA1

      6ec8b0d4b2dd84a25027978f4ad7d2a7bc777688

      SHA256

      b2b4ddfa42587f0157cfda69d8605e095138133041ecd7aff1db2e10df91acd0

      SHA512

      620d2e8e69ff199e5ceb0d59b7f7bb45ee4d9563cd1fa0d84a589c860581df7aa6e7fc8138ed4b3565f37f3b87ca247104dc03be1a96c10eff53d00529019433

      Download Submit

    • C:\Windows\SysWOW64\Dkkcge32.exe
      Filesize

      74KB

      MD5

      47bff0fb54f52a46b4b4f7eed51f86f4

      SHA1

      0d5914165699ec5392b90fafff50925c6e2418d6

      SHA256

      471725dab145da5b39fc9842ae2c0882c47b9d685b7e90d29f3417cd5fc786e6

      SHA512

      4d3464c1d81b6443166d84cff475a6865fe08414a53a807118a49f58ae2272aef3515fd6b98f84293f5927506eb667f8ed943d44f11cb12a41ca8a48b1c61bc4

      Download Submit

    • C:\Windows\SysWOW64\Dmefhako.exe
      Filesize

      74KB

      MD5

      5bf7834c98a611ef707fef9dc2871981

      SHA1

      0daa90abb98633c73c089b26e03e5e54f7af6cfc

      SHA256

      fbad722a75ac72f11d55fbd90a360d2c724b0d9d3e77529ff678751ee34a4307

      SHA512

      11af5be9efd7b906ea0d3c1aec6b7cc3cc3f364702b7eade337c1e1b3996a77771b0c5dbe9101efedace79398bbeda16482c078568834549e1cf4831e87e2416

      Download Submit

    • C:\Windows\SysWOW64\Dmgbnq32.exe
      Filesize

      74KB

      MD5

      e8fdfc39b803ddd9f52aeffa5d098be6

      SHA1

      fbe3c2acedf1bc30f8edf209bddde92e3f9e6a7a

      SHA256

      6ed4d807318f807bcd0dc45ca6002ebab8d79b622e95d1849c7d247cad4aeefc

      SHA512

      6d9c77c7003fb5e112cceebee1dcbc0658140bb471a60098ff5f4f760982eccafa8f9fd5a6b053c55e67ca2a82994fb9d387c8dbfa0c203ca10271f5d5661a0c

      Download Submit

    • C:\Windows\SysWOW64\Dmllipeg.exe
      Filesize

      74KB

      MD5

      a237e6a51456f1f1fac35df6862317fc

      SHA1

      a204b92fdad4bd244d2960428544d045a6d1df8c

      SHA256

      6046608959fad343efda52c2ee532d4edab69b6591328ea23ee87ccdbaa072da

      SHA512

      3cea33131a160ac8b1ff6cf6c362b0ea57dda4b873a1ae87c286ad00a757dd0ce7b02b92cbd75696a116ad278391d0b23b526d97f33db606088fe64ed60e9ba6

      Download Submit

    • C:\Windows\SysWOW64\Ihidnp32.dll
      Filesize

      7KB

      MD5

      bb09192d6734e7f7c5c9cc8a9c155e85

      SHA1

      0144481ccf28a171ea21ba7aae34ea22a0e5956e

      SHA256

      ebe2ea44665022eb97beccb4c1d4e67678e7dc162cb7858f323f307743a54478

      SHA512

      11e206dce4cb442eae3051da0cd3d83d9b62950659b9eb162e08968a30275b8204084a30fb89794e9c99dc24995756b2c2a5585abedc5963d723c9dea0322f44

      Download Submit

    • memory/952-98-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/952-15-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/988-97-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/988-23-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/2360-100-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/2360-0-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/3008-93-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/3008-63-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/3212-72-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/3212-91-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/3228-7-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/3228-99-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/3448-92-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/3448-55-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/3476-88-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/3476-89-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/3568-31-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/3568-96-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/3920-95-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/3920-39-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/4848-94-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/4848-47-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/5052-79-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/5052-90-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download