8c5c8525a7d46be0b41bf7bc122240c2003b20a6ce3674dafbd0b845e3d4d425

General

Target

8c5c8525a7d46be0b41bf7bc122240c2003b20a6ce3674dafbd0b845e3d4d425.exe
Size

91KB
MD5

ee220befdd770fca756654fb961541b1
SHA1

85e88990b4aa7ef997c6b0d6f3240bec8bec2b38
SHA256

8c5c8525a7d46be0b41bf7bc122240c2003b20a6ce3674dafbd0b845e3d4d425
SHA512

2a4ce720c7e1b6b49dfdd4423d6b9e74749d202490dc88b6428701e0db1f9e2b84811388f9fe01a439812a600d96afa0e7261ed7fd2ecc5171303b7f0f938821
SSDEEP

1536:22D8D/1TYwnXJD5CvVWgLHfXFwEKxhvj8kn+VX1NYr/viVMi:BYTpaWgzvFCrnQzo/vOMi

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8c5c8525a7d46be0b41bf7bc122240c2003b20a6ce3674dafbd0b845e3d4d425.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	8c5c8525a7d46be0b41bf7bc122240c2003b20a6ce3674dafbd0b845e3d4d425.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe

Executes dropped EXE 5 IoCs

pid	Process
396	Dmjocp32.exe
2008	Deagdn32.exe
4636	Dhocqigp.exe
1176	Dknpmdfc.exe
1876	Dmllipeg.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	8c5c8525a7d46be0b41bf7bc122240c2003b20a6ce3674dafbd0b845e3d4d425.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	8c5c8525a7d46be0b41bf7bc122240c2003b20a6ce3674dafbd0b845e3d4d425.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	8c5c8525a7d46be0b41bf7bc122240c2003b20a6ce3674dafbd0b845e3d4d425.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4444	1876	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c5c8525a7d46be0b41bf7bc122240c2003b20a6ce3674dafbd0b845e3d4d425.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe

Modifies registry class 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	8c5c8525a7d46be0b41bf7bc122240c2003b20a6ce3674dafbd0b845e3d4d425.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8c5c8525a7d46be0b41bf7bc122240c2003b20a6ce3674dafbd0b845e3d4d425.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	8c5c8525a7d46be0b41bf7bc122240c2003b20a6ce3674dafbd0b845e3d4d425.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	8c5c8525a7d46be0b41bf7bc122240c2003b20a6ce3674dafbd0b845e3d4d425.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	8c5c8525a7d46be0b41bf7bc122240c2003b20a6ce3674dafbd0b845e3d4d425.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	8c5c8525a7d46be0b41bf7bc122240c2003b20a6ce3674dafbd0b845e3d4d425.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 396	4784	8c5c8525a7d46be0b41bf7bc122240c2003b20a6ce3674dafbd0b845e3d4d425.exe	82
PID 4784 wrote to memory of 396	4784	8c5c8525a7d46be0b41bf7bc122240c2003b20a6ce3674dafbd0b845e3d4d425.exe	82
PID 4784 wrote to memory of 396	4784	8c5c8525a7d46be0b41bf7bc122240c2003b20a6ce3674dafbd0b845e3d4d425.exe	82
PID 396 wrote to memory of 2008	396	Dmjocp32.exe	83
PID 396 wrote to memory of 2008	396	Dmjocp32.exe	83
PID 396 wrote to memory of 2008	396	Dmjocp32.exe	83
PID 2008 wrote to memory of 4636	2008	Deagdn32.exe	84
PID 2008 wrote to memory of 4636	2008	Deagdn32.exe	84
PID 2008 wrote to memory of 4636	2008	Deagdn32.exe	84
PID 4636 wrote to memory of 1176	4636	Dhocqigp.exe	85
PID 4636 wrote to memory of 1176	4636	Dhocqigp.exe	85
PID 4636 wrote to memory of 1176	4636	Dhocqigp.exe	85
PID 1176 wrote to memory of 1876	1176	Dknpmdfc.exe	86
PID 1176 wrote to memory of 1876	1176	Dknpmdfc.exe	86
PID 1176 wrote to memory of 1876	1176	Dknpmdfc.exe	86

C:\Users\Admin\AppData\Local\Temp\8c5c8525a7d46be0b41bf7bc122240c2003b20a6ce3674dafbd0b845e3d4d425.exe
"C:\Users\Admin\AppData\Local\Temp\8c5c8525a7d46be0b41bf7bc122240c2003b20a6ce3674dafbd0b845e3d4d425.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Windows\SysWOW64\Dmjocp32.exe
  C:\Windows\system32\Dmjocp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\SysWOW64\Deagdn32.exe
    C:\Windows\system32\Deagdn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\SysWOW64\Dhocqigp.exe
      C:\Windows\system32\Dhocqigp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4636
    - - C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
      - C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 408
        7⤵
        Program crash
        
        PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1876 -ip 1876
1⤵
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Deagdn32.exe

Filesize
91KB

MD5
d3265e623f832d168eaf06e711b20ee7

SHA1
c2002cb8bce941a57f75e4fbb6b4dbc3c9034010

SHA256
d54d6acaa2751dffebf8244aa8fc74648b8cb4eca7a62096258b3dd7ed6f8a09

SHA512
814544912b8555478cb071acfa7c53877f90d1770d9b66371f4c260e00d14e1a84520565a98a1210cb52cbea46cdcaa143e039c0bc9ab6b2a11106aca5c75808

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
91KB

MD5
31ee32abc5e167b3a08f3e24e4096afe

SHA1
c30755b8e9512659a379875a2e1bcdd4eff6d969

SHA256
7174ed528f6437e80e33d043d39402561369dfece0743120b169342075b31a92

SHA512
4c080e22a27ee0aa27953a413cb7c5171e40c8ba3475b9b25987e7966ce527f2da72e267d9c4c0f6fb42aa8fec4adf301ad5d7ab0999ee4328a4a3c582d9050d

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
91KB

MD5
92d4b316dc4051a7dcf39cd21c801a10

SHA1
a5f16eac22ab506f92fb34a1a4c2292b72baab09

SHA256
87a12f036c103d01c5ad978bff47b2a30c24797f86f19fa59d44abe8edc789d5

SHA512
57d6e3a46a5da46bcc03e64905ab2f5f749b8d756453349fe895ef695767ba80a2a4fdfbfe64a5be51281b1e442057196511c9dd2ea40782576124866650f3e3

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
91KB

MD5
8154d2354abed55d61535eeabb14e869

SHA1
673e6651893480851a6a0a996cfc936934f2ed17

SHA256
940849fe4c628b4d960bc8472e36865ad01126e6fb102e05b61ed773ef9628ce

SHA512
33e165741ed011d2295eba66282b96a62d5c039526d4bf283ccb9c5d3f6e18f387a96555a21f021588aee4e66e0ee58bc87d75813a346bdd96764b0390ddee88

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
91KB

MD5
e9f0ff872578a136958df1cfe1084235

SHA1
e99bebbaaf111f5d99efe0bcb46c66f7348f58e7

SHA256
14a45c25bd91da0e323e2d1f38e931ae1d48cb15f473eb347f140b1d58b2c529

SHA512
89c080044ddaa50717e40487a66ceb143d2c68861002720130bc5b557152611cf6eb5da7056ac4891d67dbcbbcb809449ce421332c15a8293aac3f89d28b403a

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
91KB

MD5
b11ccfe9aa87ef37840318c843b5e21d

SHA1
fa55ecfe416d61bfad3ed5d9199fb6d3444d2d22

SHA256
f9b6c697d206a43a4935b5e90ace868176ab7fc10e10bab0c3ee811e62a21bcd

SHA512
1111fd6eaa3fac4248685c3460b8a6057595af67a8dae34d13f363cb85322ffe7260b072ef9ff9d27fd962017c505c950c9a69a124a71b2cbd8ce27f1df951ec

Download Submit
C:\Windows\SysWOW64\Kngpec32.dll

Filesize
7KB

MD5
da4b16385aaa6bfd11d3e70bcd5b713b

SHA1
de27af28748580c1194da39830eb2701e8e6bcb8

SHA256
771c2b98fc607b5ceb9bc70f4e90ae9703d5febbf56c0ac2ef5b34afbe1b8c31

SHA512
2723cbae26eeae35f8e664ec480f78392d82e66a8c17eab3ae32e8c7208b14fc5536ae999b9e15e61a004c90914d84f56b384632a224a7cb053cc08af3438cbe

Download Submit
memory/396-7-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/396-45-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1176-31-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1176-42-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1876-39-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1876-41-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2008-15-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2008-44-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4636-23-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4636-43-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4784-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4784-46-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads