5a00aa45b92d76a65221c7e791d1e46aafd17d3bf8feef6c08ab165ec8d1100b

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d221e8c9450e33888ad4ca992a52220N.exe
Size

80KB
MD5

7d221e8c9450e33888ad4ca992a52220
SHA1

cfc455739cd4303bdc53544145a1bb96a3edbb2c
SHA256

5a00aa45b92d76a65221c7e791d1e46aafd17d3bf8feef6c08ab165ec8d1100b
SHA512

fb842d5a8e6a99581832115003d89fbf368571db57ec5be70dad4197223ae42ad5a3fa5cc21af00935e784a4aac9a8e5f9273f376fc560efd42891535a2a5a87
SSDEEP

1536:m8uCvsEpoYWrybnZiJozecQ603ic9G2LVCYrum8SPG2:vnjpVWrybnZeozNoic9VVT8SL

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7d221e8c9450e33888ad4ca992a52220N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7d221e8c9450e33888ad4ca992a52220N.exe

Executes dropped EXE 9 IoCs

pid	Process
3208	Dfnjafap.exe
4864	Dodbbdbb.exe
1256	Deokon32.exe
3424	Dfpgffpm.exe
4808	Dogogcpo.exe
3260	Daekdooc.exe
2132	Dddhpjof.exe
4592	Dknpmdfc.exe
4680	Dmllipeg.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dfnjafap.exe	7d221e8c9450e33888ad4ca992a52220N.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	7d221e8c9450e33888ad4ca992a52220N.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	7d221e8c9450e33888ad4ca992a52220N.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4224	4680	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d221e8c9450e33888ad4ca992a52220N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	7d221e8c9450e33888ad4ca992a52220N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	7d221e8c9450e33888ad4ca992a52220N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7d221e8c9450e33888ad4ca992a52220N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7d221e8c9450e33888ad4ca992a52220N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	7d221e8c9450e33888ad4ca992a52220N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	7d221e8c9450e33888ad4ca992a52220N.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 3208	824	7d221e8c9450e33888ad4ca992a52220N.exe	83
PID 824 wrote to memory of 3208	824	7d221e8c9450e33888ad4ca992a52220N.exe	83
PID 824 wrote to memory of 3208	824	7d221e8c9450e33888ad4ca992a52220N.exe	83
PID 3208 wrote to memory of 4864	3208	Dfnjafap.exe	84
PID 3208 wrote to memory of 4864	3208	Dfnjafap.exe	84
PID 3208 wrote to memory of 4864	3208	Dfnjafap.exe	84
PID 4864 wrote to memory of 1256	4864	Dodbbdbb.exe	85
PID 4864 wrote to memory of 1256	4864	Dodbbdbb.exe	85
PID 4864 wrote to memory of 1256	4864	Dodbbdbb.exe	85
PID 1256 wrote to memory of 3424	1256	Deokon32.exe	86
PID 1256 wrote to memory of 3424	1256	Deokon32.exe	86
PID 1256 wrote to memory of 3424	1256	Deokon32.exe	86
PID 3424 wrote to memory of 4808	3424	Dfpgffpm.exe	88
PID 3424 wrote to memory of 4808	3424	Dfpgffpm.exe	88
PID 3424 wrote to memory of 4808	3424	Dfpgffpm.exe	88
PID 4808 wrote to memory of 3260	4808	Dogogcpo.exe	89
PID 4808 wrote to memory of 3260	4808	Dogogcpo.exe	89
PID 4808 wrote to memory of 3260	4808	Dogogcpo.exe	89
PID 3260 wrote to memory of 2132	3260	Daekdooc.exe	90
PID 3260 wrote to memory of 2132	3260	Daekdooc.exe	90
PID 3260 wrote to memory of 2132	3260	Daekdooc.exe	90
PID 2132 wrote to memory of 4592	2132	Dddhpjof.exe	91
PID 2132 wrote to memory of 4592	2132	Dddhpjof.exe	91
PID 2132 wrote to memory of 4592	2132	Dddhpjof.exe	91
PID 4592 wrote to memory of 4680	4592	Dknpmdfc.exe	93
PID 4592 wrote to memory of 4680	4592	Dknpmdfc.exe	93
PID 4592 wrote to memory of 4680	4592	Dknpmdfc.exe	93

C:\Users\Admin\AppData\Local\Temp\7d221e8c9450e33888ad4ca992a52220N.exe
"C:\Users\Admin\AppData\Local\Temp\7d221e8c9450e33888ad4ca992a52220N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\SysWOW64\Dfnjafap.exe
  C:\Windows\system32\Dfnjafap.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\Windows\SysWOW64\Dodbbdbb.exe
    C:\Windows\system32\Dodbbdbb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Windows\SysWOW64\Deokon32.exe
      C:\Windows\system32\Deokon32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1256
    - - C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3424
      - C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 396
        11⤵
        Program crash
        
        PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4680 -ip 4680
1⤵
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daekdooc.exe

Filesize
80KB

MD5
ea1743efa6f78df6014c89a657a65a43

SHA1
b70137f45a5d8788c5c3b883720eed5268ff276d

SHA256
94dd090647b7dd8e523af2f18d6948c6fce3c9f390b62e877f2e88a34a070bf5

SHA512
589b968f4c4815fb848c63ab8a105cb14a7116847937775b51de6adc000e35d78fe8d68ecd9c318814aea5cbb6c10e372a83206d8dc228fd3b92930b272cc4b4

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
80KB

MD5
ca775d2d412dc5f0e3d1192b6e78d254

SHA1
4d9e00d0aa9507deb260488ce3c181d4d8ae7f63

SHA256
6e09c6f7c9be22c833b145fdb8505382da936a3b0d488127792fb48a7169c2d5

SHA512
8bc1e8f137dc7d1b9236c5b1113e029bc6299f0acd1b214d907e25568c7a33ce62ecbe1cd4a4294031eb01695a5f7820b889c4f4a09c2813e9fafd4f5ba2e0a3

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
80KB

MD5
263699e920da1eec6c1db39d4d4033b1

SHA1
7a386137668f7b184fc0b0235558c563281918d2

SHA256
a866084ea8605326fda75257a94e967c81428eb2a7db5b2e727d7e6043e554f4

SHA512
01cb2f51aa40290c36a21e4f2a4a4de20545cd2ff65e141b3fce9298f97233670bb986373539d25ec3bc5f1858e7cfc7e7199caac4b6e8c28b2cd4bc044bd778

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
80KB

MD5
87012fc9ec80d7b84a842444a012b37c

SHA1
17cb8c717b8efeb53ff0bc3cde2d2961b8574b31

SHA256
357abc6e20f0da13ef241a73b58f534a163c890e94865ad3f559412923348f30

SHA512
7ebdd5417abee62aecdacd622aebafceaff53901b2aa81eb4a03342c4fa194747c703fb527b87b896b0a2886ce29bbf7786d79df3d62cbb3d8cae315e2349631

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
80KB

MD5
7f61ce664a0509f8224243e6ad5f2b88

SHA1
e7f9b199acf5f2927e8d32c11fe93fe825a41087

SHA256
f59b169aeb9a830eef96076ebf2fb28fea15aacc2b06a833e27cbc54fe911cd0

SHA512
25505d9cd8ff6a73072c03e116a64c969a0c5ff9ea0769558785907cf36aaf0060baba389d4ba6e77b000a481b28ee4b5b841821988b9c5ce85119f779b1cb09

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
80KB

MD5
0dc3b178f91fa6c9f70d7bc6dc67b694

SHA1
ef1067925403252944c5081008eec2abdb79b14d

SHA256
e2ce11507cd78774c9f4c15678508d7aa9139a619943d456853732447acbc108

SHA512
50a3f354ba7bfa6866b9cd69a4bf24f3d660b3f1c80f01e2a13bbacf3a644c19b34e088d84b827327b09f613eb9680c35e345db47b32c9ec70b460c97fa9751e

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
80KB

MD5
d0aadb42ddcbecb18c7aca0413f91b3b

SHA1
7c48fca916bd2e0e91c20459b031d7a68f75abe1

SHA256
c25932b6fdea998740afc78cf75cb02f25beb120f639eafd066ddf0386086848

SHA512
2d5f607f0427165d9185bc2979e995f760cffd18a95d8152e82211e6e295e7f717a714c28af42d1f6e828809df387fcf84306afc7541c93c65855899b4775097

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
80KB

MD5
abfc6009a67641273287c5158dd8fe92

SHA1
70f4db8e24b2f413ca64930c9390dc5964700e73

SHA256
9271c353a7d0c2b5a9d87e3ee26572b214057f6ba407123e79c1cc956c786d2b

SHA512
70f1e3af576bd77c4c7a194acc06da8af9cd3d39cedd29b98141104363a5fca359c151ea1f38f1628ff9c8af49f6ebfcec11c1a90afcf32d84190e001e41281e

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
80KB

MD5
351a9388269771e019cfeea351c04dd6

SHA1
7fc929b1e1a94d681769f0c2edf8824c782ee4c2

SHA256
198f9403f3bc51b45df048083d03002482678e861cd6ef15c473d5f201d2ca8a

SHA512
b28b5bd48e69f834fb60fe81a2b067d447db7808315c7f742bf99a2308be4082408b10136940d0d9170799309cdfa0bfe3bd8ab2ba26d0318358471e4da6bdbd

Download Submit
memory/824-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/824-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/824-91-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-76-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads