Overview

overview

10

Static

static

3

031b293b63...88.exe

windows7-x64

10

031b293b63...88.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2024 18:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    031b293b63b8f0c899da68b560eecfbebe8570097c37d964cb9b05bfc83c9588.exe

  • Size

    470KB

  • MD5

    e2f327000b16959d93224170a51e5fe6

  • SHA1

    f358e501e39d95b52192d37c8278afafadf458c8

  • SHA256

    031b293b63b8f0c899da68b560eecfbebe8570097c37d964cb9b05bfc83c9588

  • SHA512

    3d263a6a0c4a856aff9e25c38da5a3ac79923199e0f47dd9a0eb7f3be7fdd96e24ee9e89692b51a208d3400231ea3ab8c88d1736fd739cd6b467f1fa86434e19

  • SSDEEP

    12288:kt159/Qc8QVj94nLiFzN3b7CUq1u2ztB1XQKTQInqyS6Rm6TIJ3l7DurTG9c8QVH:61594

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs
    persistence
  • Executes dropped EXE 14 IoCs
  • Drops file in System32 directory 42 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 45 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\031b293b63b8f0c899da68b560eecfbebe8570097c37d964cb9b05bfc83c9588.exe
    "C:\Users\Admin\AppData\Local\Temp\031b293b63b8f0c899da68b560eecfbebe8570097c37d964cb9b05bfc83c9588.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5004
    • C:\Windows\SysWOW64\Cdcoim32.exe
      C:\Windows\system32\Cdcoim32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3872
      • C:\Windows\SysWOW64\Cjmgfgdf.exe
        C:\Windows\system32\Cjmgfgdf.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1272
        • C:\Windows\SysWOW64\Cmnpgb32.exe
          C:\Windows\system32\Cmnpgb32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4384
          • C:\Windows\SysWOW64\Cdhhdlid.exe
            C:\Windows\system32\Cdhhdlid.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:924
            • C:\Windows\SysWOW64\Ddjejl32.exe
              C:\Windows\system32\Ddjejl32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:1332
              • C:\Windows\SysWOW64\Danecp32.exe
                C:\Windows\system32\Danecp32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:4184
                • C:\Windows\SysWOW64\Dobfld32.exe
                  C:\Windows\system32\Dobfld32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:4980
                  • C:\Windows\SysWOW64\Dkifae32.exe
                    C:\Windows\system32\Dkifae32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:4800
                    • C:\Windows\SysWOW64\Dhmgki32.exe
                      C:\Windows\system32\Dhmgki32.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:1972
                      • C:\Windows\SysWOW64\Daekdooc.exe
                        C:\Windows\system32\Daekdooc.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:1408
                        • C:\Windows\SysWOW64\Dddhpjof.exe
                          C:\Windows\system32\Dddhpjof.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:116
                          • C:\Windows\SysWOW64\Dgbdlf32.exe
                            C:\Windows\system32\Dgbdlf32.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:3708
                            • C:\Windows\SysWOW64\Dknpmdfc.exe
                              C:\Windows\system32\Dknpmdfc.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:3260
                              • C:\Windows\SysWOW64\Dmllipeg.exe
                                C:\Windows\system32\Dmllipeg.exe
                                15⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:1492
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 408
                                  16⤵
                                  • Program crash
                                  PID:744
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1492 -ip 1492
    1⤵
      PID:1032

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Cdcoim32.exe
      Filesize

      470KB

      MD5

      35a6cbf15d7bb5d221972227f7a82dec

      SHA1

      4c82c6203cd264bf6a5c3e6f5cc227878219d8bd

      SHA256

      89a6f8885712dc2976ade8845914d2e03f1ee357b78830b14a2f563c385707f9

      SHA512

      b32d9827c9bc951032e76d96cb70fbb792bc70698f2e763c675586ab937f86d1fd4e2668c9e96c3bef863a8304fb457b6ae91432dd8bc649d256b883adbcfcae

      Download Submit

    • C:\Windows\SysWOW64\Cdhhdlid.exe
      Filesize

      470KB

      MD5

      a539465a11da4d6835df55b6df29bed5

      SHA1

      982320848d9205c659efa92d09b027606c4ab21a

      SHA256

      572c0d64e24a1537f3510bf6f3b3ebc7f317b95873bc4c3459958819a75e8023

      SHA512

      690dc4938033e7c23f4972089927a881324c91afd820a5899f2e32bcb78a38ea45bd1e799ccc4febd2657d87080844940511949c368ac76451a8a121dff2e48b

      Download Submit

    • C:\Windows\SysWOW64\Cjmgfgdf.exe
      Filesize

      470KB

      MD5

      4948e7693a0d5d0d934c7779e33d58d3

      SHA1

      cf0e4f9b057930bebfeca33598dff618c43977de

      SHA256

      1baf1e9cbe1ed91be2dc2072cb39c26568715c4c1a305ac4b5e78dee24569cce

      SHA512

      73943f66de095076f7d2d380ddfff25bf082547fe14ecafc6a9b98a14c3555fbd648c414f7acc19d11b2bb89c970bd527928ca54a947b843c674835d54913dd4

      Download Submit

    • C:\Windows\SysWOW64\Cmnpgb32.exe
      Filesize

      470KB

      MD5

      a64f506805071db234e658ff770c0183

      SHA1

      17023d3a7427fbd7ea4f2709980a952d5d467a69

      SHA256

      6d0fa2dfeb2f63e202fe85f4a8c9de407b45dc953195edde34c959e19dbb20ef

      SHA512

      e0e1cbdbf1716645280d9e82a0bc52695c978c243438469810d077a69c91643c0166391a0a5efd10ee04d952e131a61116ee3ec1b8dac4b468efe5b992d27432

      Download Submit

    • C:\Windows\SysWOW64\Daekdooc.exe
      Filesize

      470KB

      MD5

      6cca54732398d5ecb9023430112cd71d

      SHA1

      ca7748d2d3d31ce9aa0eb8cf1ece7b52d95f0b31

      SHA256

      33c4c78dddba31e10c57eb2365e9eddbb1e84198131baba75b1cfbf9deb8428c

      SHA512

      f567ad2204d3df4709348418c616c6e68e549d684d039af330ec01c151a5f5c86cf882a00e1456a6943803df8e0cd795123fe24314e2c815de440140864ee9f4

      Download Submit

    • C:\Windows\SysWOW64\Danecp32.exe
      Filesize

      470KB

      MD5

      add2e490564ca10ebb37fe37ffdc4efb

      SHA1

      171ef36589e3043599ff97f88e618f83da25f0de

      SHA256

      fbcf29090607722f98526fe1456938dbf9f8b246a77341b9cc8c586ca68cdbc5

      SHA512

      52f746908df18c8c3351ab4c12eba1f66eea8f0c28c96a3fedbe8c34ccfe1a83825adb71a76e97c7f8d7f29d86a987811ddd1d8f192f639c42caa84d7a7ececc

      Download Submit

    • C:\Windows\SysWOW64\Dddhpjof.exe
      Filesize

      470KB

      MD5

      8fd44a670aaf35c250a04ebd430cb4c5

      SHA1

      515a11b41d0589c9dd5b7f5726008ade6cc0401c

      SHA256

      01d5c469e386cba80653251a46058b5d92e48d1c02b93c2c5d1420da732665f4

      SHA512

      c734d5b36d165cf9780f70d67ad90f09a79ee807f9392db624c33836ab004ed8f17f70303c8a4da66a08c76e0b2405bdadbb1e94a1e0372c4b9d3ad13d023718

      Download Submit

    • C:\Windows\SysWOW64\Ddjejl32.exe
      Filesize

      470KB

      MD5

      a7b4694b5d5f50a262bb12f0e1f7fabf

      SHA1

      c62cef3d2bf06a3bb5bdade44f6db2f17d780f75

      SHA256

      15d6b7a1dfd7fa7e02f30d47a26604dd2c8b721734ab3ad5e39e9962ccac5b16

      SHA512

      5b4feea212e756e9d25d29c6bf73890657bdb451cf63e0e69bc6b15ccbc150d972293c8f4b007b4b3d7ab5a95560656b50ff2e63ea9bbe3efcdc2593d48fd59d

      Download Submit

    • C:\Windows\SysWOW64\Dgbdlf32.exe
      Filesize

      470KB

      MD5

      58b52ca5f41909b99972bd8efd856dc9

      SHA1

      0bf05bfb8eb75320577a21510e21444c9b80abc1

      SHA256

      a666b3180b27225f61d95ef41607e041eb42977701a553d0d846bc4da1a5e498

      SHA512

      9f5aaa0497481b09df9b1be95602cef73197111ecc5cba34947bb7748eb765ad68234dc22912679cb9888831454516700e3662f1d94f0c39b302866a196d0fde

      Download Submit

    • C:\Windows\SysWOW64\Dhmgki32.exe
      Filesize

      470KB

      MD5

      6f46fa8af0bd4ae23f06dc9707a0e49a

      SHA1

      0207ae529f9c79ab8a01245fdcbd69541740d916

      SHA256

      d77336891ac966ae003abfc5f93d301bb9bdbffc4017b092858b9a9aa8f5eec2

      SHA512

      aecd61c98ebd45d3dbc5591c02ab7a354fc33133fd8c505272e22857defba286bd236335a1a360b9d379b169a1115a182a12730b9386ba78e11f8373db373525

      Download Submit

    • C:\Windows\SysWOW64\Dkifae32.exe
      Filesize

      470KB

      MD5

      0966a10e52573457330810d1d05b7cdd

      SHA1

      284a033f8b2475303bfa84695f08fa78e548ea39

      SHA256

      35fed51126c0b9513b1dba1fd63a0cedefc4925407b5f4cf009c4f29e2c90cfd

      SHA512

      91d9ecefc1706d1ddecfe0f2edcb51f400d9fa4402f6a2aaab75de9bad310de0a27296896a4417026afd1bef1b7f84f554b99df8c215c2f96f6a867e4f5d40f4

      Download Submit

    • C:\Windows\SysWOW64\Dknpmdfc.exe
      Filesize

      470KB

      MD5

      a232c7e602f332677806d37689aeafa5

      SHA1

      0e274901e3797ad1fb978c6c05ef8a99eb026c7d

      SHA256

      a993c92ca2ca9a9754113b9fc49081776a2dd168360377d5e9b62b964b11c10b

      SHA512

      eeaf7fdcc3761929624f32c5a38f9eb9497350d9dd46618328965bc35af48dbbc0ef0313bba417eb6dd15898aed7ffbfdc0130d35557f83eddf69c2f54f46faa

      Download Submit

    • C:\Windows\SysWOW64\Dmllipeg.exe
      Filesize

      470KB

      MD5

      430bf9cb764130c986e3bb9f425f08a3

      SHA1

      96caefa3965797c2b7de4cdeadf8d0aa6a812ddf

      SHA256

      8dbcd954e387fc9b020a825cc0f028564f3ad9044872d5297c3045693550170e

      SHA512

      e687bd6267a7110cb0835f2a53fe08da04613a5fa96e5419e2708ff392ffd606a2c1bdabbf2d56b410922717abe96afc1b01c7aa71352cbd39f07a3f6825fb3c

      Download Submit

    • C:\Windows\SysWOW64\Dobfld32.exe
      Filesize

      470KB

      MD5

      d1395f733143812c4ac561b770b54228

      SHA1

      c401a44e1ec66b40911b50da5c889e13e6bf28fb

      SHA256

      92ba2436a9a2ddedf2989db481dce6126c97b94cf818607c00285edb2db5240e

      SHA512

      8486bdac99ab33c2764d2a27956478e6e8f84614c6f39ad8f2b64930183b274dbe8a8e204b17a63374649ea010aa092d21ff9908e887b985a1b7002eae3ca016

      Download Submit

    • C:\Windows\SysWOW64\Hfanhp32.dll
      Filesize

      7KB

      MD5

      a31c85aed5085160d75bdcc8233a4e5d

      SHA1

      dd0fed28336a7e2fc9264d7af81349d567f1e6fc

      SHA256

      c19e5a1692897a1fffd9f5b398e8d740880edbb3bbec2516f6540e80235903a7

      SHA512

      674ccc88e22d40ea14e4d02063c0a02b8bbe22acd0ccc3d10c473930e3a0ad0897a650f635ae81836cc8068c3e88b586fe924e593ed6123c8f9c6f22f800584f

      Download Submit

    • memory/116-120-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/116-87-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/116-118-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/924-32-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/924-134-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/1272-138-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/1272-16-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/1332-40-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/1332-132-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/1408-125-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/1408-79-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/1492-112-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/1492-115-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/1972-71-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/1972-123-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/1972-122-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/3260-104-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/3260-116-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/3708-119-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/3708-96-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/3872-140-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/3872-8-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/4184-47-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/4184-130-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/4384-136-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/4384-24-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/4800-63-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/4800-126-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/4980-55-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/4980-128-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/5004-142-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/5004-0-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download