847d50fab09a3a436518dbf58cd58ee6cab3e8172bcb3c53031794d652bdbe0f

Analysis

max time kernel
93s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

847d50fab09a3a436518dbf58cd58ee6cab3e8172bcb3c53031794d652bdbe0f.exe
Size

77KB
MD5

8d1c9d5481e3c328f906ced209da2a16
SHA1

54067af59855331e8dcf8bb6a805ed6b97f37b81
SHA256

847d50fab09a3a436518dbf58cd58ee6cab3e8172bcb3c53031794d652bdbe0f
SHA512

437b0c8d9e07a199e9719fd846bf8015eeeb9462130a6c8da05cda3935e0de53bc5e3d514f00b444f4548ef6fe8dfa0d0db56849cca1d53d49f72cf165693e5f
SSDEEP

1536:KVTNIeCekdS6Hz+XaTfU7jia5y2Lt4wfi+TjRC/:KRNIodWzbs7Oe/Owf1TjY

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	847d50fab09a3a436518dbf58cd58ee6cab3e8172bcb3c53031794d652bdbe0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	847d50fab09a3a436518dbf58cd58ee6cab3e8172bcb3c53031794d652bdbe0f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe

Executes dropped EXE 13 IoCs

pid	Process
4824	Dfknkg32.exe
4348	Dobfld32.exe
3984	Daqbip32.exe
3420	Ddonekbl.exe
2868	Dkifae32.exe
4436	Dmgbnq32.exe
3284	Daconoae.exe
1200	Dhmgki32.exe
2304	Dogogcpo.exe
1624	Daekdooc.exe
3164	Dhocqigp.exe
4184	Dknpmdfc.exe
1580	Dmllipeg.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	847d50fab09a3a436518dbf58cd58ee6cab3e8172bcb3c53031794d652bdbe0f.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	847d50fab09a3a436518dbf58cd58ee6cab3e8172bcb3c53031794d652bdbe0f.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	847d50fab09a3a436518dbf58cd58ee6cab3e8172bcb3c53031794d652bdbe0f.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3920	1580	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	847d50fab09a3a436518dbf58cd58ee6cab3e8172bcb3c53031794d652bdbe0f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe

Modifies registry class 42 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	847d50fab09a3a436518dbf58cd58ee6cab3e8172bcb3c53031794d652bdbe0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	847d50fab09a3a436518dbf58cd58ee6cab3e8172bcb3c53031794d652bdbe0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	847d50fab09a3a436518dbf58cd58ee6cab3e8172bcb3c53031794d652bdbe0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	847d50fab09a3a436518dbf58cd58ee6cab3e8172bcb3c53031794d652bdbe0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	847d50fab09a3a436518dbf58cd58ee6cab3e8172bcb3c53031794d652bdbe0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	847d50fab09a3a436518dbf58cd58ee6cab3e8172bcb3c53031794d652bdbe0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 4824	3476	847d50fab09a3a436518dbf58cd58ee6cab3e8172bcb3c53031794d652bdbe0f.exe	83
PID 3476 wrote to memory of 4824	3476	847d50fab09a3a436518dbf58cd58ee6cab3e8172bcb3c53031794d652bdbe0f.exe	83
PID 3476 wrote to memory of 4824	3476	847d50fab09a3a436518dbf58cd58ee6cab3e8172bcb3c53031794d652bdbe0f.exe	83
PID 4824 wrote to memory of 4348	4824	Dfknkg32.exe	84
PID 4824 wrote to memory of 4348	4824	Dfknkg32.exe	84
PID 4824 wrote to memory of 4348	4824	Dfknkg32.exe	84
PID 4348 wrote to memory of 3984	4348	Dobfld32.exe	85
PID 4348 wrote to memory of 3984	4348	Dobfld32.exe	85
PID 4348 wrote to memory of 3984	4348	Dobfld32.exe	85
PID 3984 wrote to memory of 3420	3984	Daqbip32.exe	86
PID 3984 wrote to memory of 3420	3984	Daqbip32.exe	86
PID 3984 wrote to memory of 3420	3984	Daqbip32.exe	86
PID 3420 wrote to memory of 2868	3420	Ddonekbl.exe	87
PID 3420 wrote to memory of 2868	3420	Ddonekbl.exe	87
PID 3420 wrote to memory of 2868	3420	Ddonekbl.exe	87
PID 2868 wrote to memory of 4436	2868	Dkifae32.exe	88
PID 2868 wrote to memory of 4436	2868	Dkifae32.exe	88
PID 2868 wrote to memory of 4436	2868	Dkifae32.exe	88
PID 4436 wrote to memory of 3284	4436	Dmgbnq32.exe	89
PID 4436 wrote to memory of 3284	4436	Dmgbnq32.exe	89
PID 4436 wrote to memory of 3284	4436	Dmgbnq32.exe	89
PID 3284 wrote to memory of 1200	3284	Daconoae.exe	90
PID 3284 wrote to memory of 1200	3284	Daconoae.exe	90
PID 3284 wrote to memory of 1200	3284	Daconoae.exe	90
PID 1200 wrote to memory of 2304	1200	Dhmgki32.exe	91
PID 1200 wrote to memory of 2304	1200	Dhmgki32.exe	91
PID 1200 wrote to memory of 2304	1200	Dhmgki32.exe	91
PID 2304 wrote to memory of 1624	2304	Dogogcpo.exe	93
PID 2304 wrote to memory of 1624	2304	Dogogcpo.exe	93
PID 2304 wrote to memory of 1624	2304	Dogogcpo.exe	93
PID 1624 wrote to memory of 3164	1624	Daekdooc.exe	94
PID 1624 wrote to memory of 3164	1624	Daekdooc.exe	94
PID 1624 wrote to memory of 3164	1624	Daekdooc.exe	94
PID 3164 wrote to memory of 4184	3164	Dhocqigp.exe	95
PID 3164 wrote to memory of 4184	3164	Dhocqigp.exe	95
PID 3164 wrote to memory of 4184	3164	Dhocqigp.exe	95
PID 4184 wrote to memory of 1580	4184	Dknpmdfc.exe	96
PID 4184 wrote to memory of 1580	4184	Dknpmdfc.exe	96
PID 4184 wrote to memory of 1580	4184	Dknpmdfc.exe	96

C:\Users\Admin\AppData\Local\Temp\847d50fab09a3a436518dbf58cd58ee6cab3e8172bcb3c53031794d652bdbe0f.exe
"C:\Users\Admin\AppData\Local\Temp\847d50fab09a3a436518dbf58cd58ee6cab3e8172bcb3c53031794d652bdbe0f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Windows\SysWOW64\Dfknkg32.exe
  C:\Windows\system32\Dfknkg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\SysWOW64\Dobfld32.exe
    C:\Windows\system32\Dobfld32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4348
  - - C:\Windows\SysWOW64\Daqbip32.exe
      C:\Windows\system32\Daqbip32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3984
    - - C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3420
      - C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 404
        15⤵
        Program crash
        
        PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1580 -ip 1580
1⤵
PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daconoae.exe

Filesize
77KB

MD5
8b48a76234f976cd352eca06012e8c04

SHA1
c0b678d893150401114ad88b06bf46ade04791c2

SHA256
cdc674a66c48c4bd71a583491660d85faf5edd3d644340d65a36796af2e5ea4d

SHA512
96b1c087323b558822640f9e57cb6939937e8180f2962ad4fbdb342ef1ec4dd3514f7e81c26094076f93f02f1f64e4a0ac1e962d26eb9e3ce5dbf5498cdfcf01

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
77KB

MD5
8b115e09ed2d6d40f8051c09f44fd8aa

SHA1
73ee715158e47ad42f09050aba41d8ed43d76aa4

SHA256
5c4917dddb3310f95c634b6d44230abecc824e4a71da8d3dba7f8fbdf463d392

SHA512
918b1a014a15d7b807beb0929dd2c98b51047bb811abbd6e1be3a751afc99a70e01bfef6028378836f3209e12a6c35b64db22b83e493e09f571afbf0cd74d4cc

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
77KB

MD5
7d6106676a962633fbd17e6ea815bb2a

SHA1
badcde3eb508f23ad6502e8243bfe394df776c09

SHA256
f80e69eeed0997888d67324a0069a8488c25b3e72b998a5df9c5e0cae4a9abe2

SHA512
1db335b0e090d8e8eb5e9a371e8de4f859683032e84e49f6368b67647435eb7aef4d94abef472efec09e47f05c9138504a504ff48076ca4e08a89529ef79fcf5

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
77KB

MD5
f9ce2d077e000a95107de702eca216b6

SHA1
b836bef0c82735ca56590f221e70d69f3fb9ad4e

SHA256
1774e757ab0e6db9dc603ffb322e7ddefe747df74b4173a517777c3ce4d2db73

SHA512
49a7d26a38c5a2595a806e23d16cba8ff6c17e81224a6da9c440a1f561e85b2d15f11fb544aa8eb8e24e4a3f4b49a13b89b0b5e46ea4610c597d65651bdd5076

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
77KB

MD5
e14f2f06e18f8a3d577bfca223612332

SHA1
89f50f19e6731acc0c9738bb2020eefd34b68248

SHA256
a8bee85c3e263675ee86a77b9e526a249abb714a5814f7215ac8c6d1cc7b6708

SHA512
805133d35a266ee5a21a91eadc52c50b35aaf47295c1fc99419f768112abe1e3bab0cc1067b0ab0a0049343fe536b95ec90d262659dfe9710b032ffb4f0924ae

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
77KB

MD5
4512262fbe41dcd15ff9d15482029b8a

SHA1
8480cd7e1ff80fddc21be7e50b31d9530acea3e2

SHA256
f946305cb17a3e3e9f74bae4e46c731211d4cce7c4475f65647e6c7342a1f3c3

SHA512
3c32f7b69a41f6beecc2c16b0bdef5fd275256c77daff829056951e6c3bd07463613007af9113a1a1bee35cade6ba3834a1e0d953b9b19ff1c812b279724fcd7

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
77KB

MD5
ea99ca1e525f54e8d012a7c9268acb04

SHA1
d40ca02ffc3254cafb4c54a579a8cb95e7d9f890

SHA256
d1675696f389dd4f2405b7e44c2953db9053f6bb3d2198b2e724d2ef85cf14d1

SHA512
2e7ec0265fa41727778b2c5e942356627b9e70513da9e5a0bfee7323b6748bf374c8f2a77fe7efd491572f6506593631ecb3ee5c5e29712c535d17e759c843fb

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
77KB

MD5
43775d79d594896a5b0d86222f6c51e6

SHA1
2584dfba2874f914434eeb0256c1430e8a578ac5

SHA256
fb467737d96b287079eeb9d5b4014441fe795966c5627b096317f7f3552831b7

SHA512
e15ce9baa8c4505495339ba33d6790927557036c5ef75d4da8f1e9a4968092937471972baeabb02224c43462672640db68fcc7c1490c115ceed160109bdfd10b

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
77KB

MD5
cd91de5b9c1203c6d648054144365933

SHA1
2fca897ff573d603a3b60d59cb319c737d576419

SHA256
d83dd219522efd968a516af467ed0cbcf3f30bdf4be5ab22e35390c807da7825

SHA512
fe623cde46743f411a5a669b5f23e86bdd3d1fcded12d2ef7d61b85c137cda8431acd8bf6c073d20057fd4b9107b1a95eab34fc7fd83514c6fa4d77d35a94d30

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
77KB

MD5
4d99a63491ffd527587df45291980b82

SHA1
e1db6df2fc638fd439472b838e8a9291ec2cb475

SHA256
e0bedafe93868943a11afc36ba29ceb140d6487db3973899a42ea5cd0745b9a0

SHA512
d41c519c9cb120f92a231a1c833aeebdd884fc2583ceb3edf514c49126f98f5731bcb63eabb9b3c5a830cffe2771e9dec5ac6e98d4492ee465b8193fcf3c1e3c

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
77KB

MD5
6dbd08981ec0ee648d931ddce3126364

SHA1
696ed3f2a159e03c8b48b133aaab8174eef27356

SHA256
c24628af83fdc647429b050458058220706cd6ba8750e759578f08b97c4e0d34

SHA512
9cbcebbcb534d4137bf496f2bf891d7e5224bce9310a48c6a72c2b2808f3430465305befe5db344d2458c6e7db0851fb523fd358465a074cd4d7a991b471c4ed

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
77KB

MD5
b226017dd55f3f19df5ff33e0974407b

SHA1
349dcab71807eaf3ab7177b6d9c0de1cde85f466

SHA256
2c83371a5d25c872f241b0ef40600806a3ed27938413f9a0fb09fdde9dfef649

SHA512
0b923f7c38a30bc373fe3b04958b6f5d3fa27dea7e1e3761a6bd46a9ef1ace76fda06b205c34ecabf7200ad01708a9a933b606ec27efbabe4393daa298850e56

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
77KB

MD5
802cbc46ec58dd5bc108b858c6fbad5f

SHA1
2f03e6f5ee81affc23fd892f0df25d5bb3108804

SHA256
606811442d03ef88568fc7a7e97da2e6b8a8bfb92e1797624d22ed94c3df6618

SHA512
70414633e91635f476a4b74d264ea204816221dd79d4eb79bc1e3a7a7b4afdbf454a09e71f475f4733d38a26eaab3cecc82a624cba976fe10e2f598ac3fb0c96

Download Submit
memory/1200-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1200-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1580-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1580-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1624-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1624-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2304-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2304-110-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2868-114-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2868-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3164-109-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3164-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3284-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3284-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3420-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3420-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3476-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3476-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3476-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3984-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3984-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4184-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4184-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4348-117-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4348-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4436-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4436-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-118-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads