bcbff1a5efd190c0f651d7d7b842590e61a9bb0e11ac7cc97fbcbfb82f7da05d

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 13:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bcbff1a5efd190c0f651d7d7b842590e61a9bb0e11ac7cc97fbcbfb82f7da05dN.exe
Size

59KB
MD5

e9d7eb31a6f7e3e7d16b30a639fa8610
SHA1

efc5f7e23db20179cea3177cc61764e4ce565af5
SHA256

bcbff1a5efd190c0f651d7d7b842590e61a9bb0e11ac7cc97fbcbfb82f7da05d
SHA512

d65c98293c4702a97d4e54b8a178f1d8417a139a738ce4b7ee7f420588a088ac835579a16d03b7fb4c4eee2d4ec6c663f18e92bc2af6253a9c55517cb96fe0f2
SSDEEP

768:YRscCvfYhfMBoYh1+57d0hfVUMXkSz1eVGwBHXeuNI+NHN2p/1H5fHXdnhfXaXdh:YmRUEBoY7+5qVVdXt1eVB3p++n2LFdO

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bcbff1a5efd190c0f651d7d7b842590e61a9bb0e11ac7cc97fbcbfb82f7da05dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	bcbff1a5efd190c0f651d7d7b842590e61a9bb0e11ac7cc97fbcbfb82f7da05dN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe

Executes dropped EXE 9 IoCs

pid	Process
4148	Daqbip32.exe
824	Dhkjej32.exe
4844	Dodbbdbb.exe
896	Daconoae.exe
3264	Dfpgffpm.exe
1096	Dmjocp32.exe
3724	Dddhpjof.exe
2432	Dgbdlf32.exe
1584	Dmllipeg.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	bcbff1a5efd190c0f651d7d7b842590e61a9bb0e11ac7cc97fbcbfb82f7da05dN.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	bcbff1a5efd190c0f651d7d7b842590e61a9bb0e11ac7cc97fbcbfb82f7da05dN.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	bcbff1a5efd190c0f651d7d7b842590e61a9bb0e11ac7cc97fbcbfb82f7da05dN.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1052	1584	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcbff1a5efd190c0f651d7d7b842590e61a9bb0e11ac7cc97fbcbfb82f7da05dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	bcbff1a5efd190c0f651d7d7b842590e61a9bb0e11ac7cc97fbcbfb82f7da05dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	bcbff1a5efd190c0f651d7d7b842590e61a9bb0e11ac7cc97fbcbfb82f7da05dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	bcbff1a5efd190c0f651d7d7b842590e61a9bb0e11ac7cc97fbcbfb82f7da05dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	bcbff1a5efd190c0f651d7d7b842590e61a9bb0e11ac7cc97fbcbfb82f7da05dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	bcbff1a5efd190c0f651d7d7b842590e61a9bb0e11ac7cc97fbcbfb82f7da05dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	bcbff1a5efd190c0f651d7d7b842590e61a9bb0e11ac7cc97fbcbfb82f7da05dN.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 4148	2340	bcbff1a5efd190c0f651d7d7b842590e61a9bb0e11ac7cc97fbcbfb82f7da05dN.exe	82
PID 2340 wrote to memory of 4148	2340	bcbff1a5efd190c0f651d7d7b842590e61a9bb0e11ac7cc97fbcbfb82f7da05dN.exe	82
PID 2340 wrote to memory of 4148	2340	bcbff1a5efd190c0f651d7d7b842590e61a9bb0e11ac7cc97fbcbfb82f7da05dN.exe	82
PID 4148 wrote to memory of 824	4148	Daqbip32.exe	83
PID 4148 wrote to memory of 824	4148	Daqbip32.exe	83
PID 4148 wrote to memory of 824	4148	Daqbip32.exe	83
PID 824 wrote to memory of 4844	824	Dhkjej32.exe	84
PID 824 wrote to memory of 4844	824	Dhkjej32.exe	84
PID 824 wrote to memory of 4844	824	Dhkjej32.exe	84
PID 4844 wrote to memory of 896	4844	Dodbbdbb.exe	85
PID 4844 wrote to memory of 896	4844	Dodbbdbb.exe	85
PID 4844 wrote to memory of 896	4844	Dodbbdbb.exe	85
PID 896 wrote to memory of 3264	896	Daconoae.exe	86
PID 896 wrote to memory of 3264	896	Daconoae.exe	86
PID 896 wrote to memory of 3264	896	Daconoae.exe	86
PID 3264 wrote to memory of 1096	3264	Dfpgffpm.exe	87
PID 3264 wrote to memory of 1096	3264	Dfpgffpm.exe	87
PID 3264 wrote to memory of 1096	3264	Dfpgffpm.exe	87
PID 1096 wrote to memory of 3724	1096	Dmjocp32.exe	88
PID 1096 wrote to memory of 3724	1096	Dmjocp32.exe	88
PID 1096 wrote to memory of 3724	1096	Dmjocp32.exe	88
PID 3724 wrote to memory of 2432	3724	Dddhpjof.exe	89
PID 3724 wrote to memory of 2432	3724	Dddhpjof.exe	89
PID 3724 wrote to memory of 2432	3724	Dddhpjof.exe	89
PID 2432 wrote to memory of 1584	2432	Dgbdlf32.exe	90
PID 2432 wrote to memory of 1584	2432	Dgbdlf32.exe	90
PID 2432 wrote to memory of 1584	2432	Dgbdlf32.exe	90

C:\Users\Admin\AppData\Local\Temp\bcbff1a5efd190c0f651d7d7b842590e61a9bb0e11ac7cc97fbcbfb82f7da05dN.exe
"C:\Users\Admin\AppData\Local\Temp\bcbff1a5efd190c0f651d7d7b842590e61a9bb0e11ac7cc97fbcbfb82f7da05dN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\SysWOW64\Daqbip32.exe
  C:\Windows\system32\Daqbip32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Windows\SysWOW64\Dhkjej32.exe
    C:\Windows\system32\Dhkjej32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:824
  - - C:\Windows\SysWOW64\Dodbbdbb.exe
      C:\Windows\system32\Dodbbdbb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4844
    - - C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:896
      - C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 396
        11⤵
        Program crash
        
        PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1584 -ip 1584
1⤵
PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daconoae.exe

Filesize
59KB

MD5
99f88432f0cf6f3ab48b90e91ab2fdb0

SHA1
2a72f00ace297a0896a5349975047c3e2f1ff4ad

SHA256
c09dd1ee9ec332d6fadc2150646467e7b5ba6865f858fa1dc09229d3b0410055

SHA512
6d05549285c7e84566fc273f41b663310f42a4695ae782357c718d3c66ae81d25259e227f626383af3b8dbeb4f594bafad344f209537b89920499cd9e0198038

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
59KB

MD5
0a63139fb1009b2521de7a31b3de1f22

SHA1
ba1793931f553aa46fb3445abb147d9657e1d5eb

SHA256
fbf0305be6b04f4ff20eb8872f9c025195b634893f00040b780dcff7dc3b9716

SHA512
17ddf90f9a12b25299916d2ec964070711632db61505257a8b35ce18a9ac8f2a43d0744efc83f7a6143b83365a4653ec8ddf2b308ad9cf4b68270d872d4afb24

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
59KB

MD5
dede3a5d378ed5c510033f554d70a862

SHA1
71b4900da80952235fe6ef529ab979c2cde7406b

SHA256
71085340a5dee7852181e921001ea8549ab8114112916086700c2075b5d8344e

SHA512
8c0043bc8df293c484399d203bba9e28820531b404c7c98cd722eb6cd1a12b1941b5ed7dca09cc1b321834bc8a28ce0372c99fd4dbf091188b96f6e96ad0c4f4

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
59KB

MD5
a27480e5b68ad2ece18e2e8ebc067a4c

SHA1
0b96fb636dd1761ff7f8f584a921c458a5e89e43

SHA256
48c51fe9f6fa3fe63f24a64334c391f34d410bb758f51e3a7e2a8ac254e82365

SHA512
c6c00c90259f2af7da4b17efe1573a728575f4d1644829076d40114eff2c1bddba4ddac2867843d2d4136332c8e3c5ae152fa0bde32b2041618bf3ba381a5460

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
59KB

MD5
fe56430cf7811d5441af81bea4576641

SHA1
ec98225b174ab8eec3bacafda769db7ecdd5bdf6

SHA256
6f67db57902be24efa8f48f957394073318d10113449a540adbafe0f94d5ae5c

SHA512
3510e62a7100ff1f534377f029ab2bca9e52c2d195f449f09cac1b84793b2a2f8cd2e01a0bdfe9e897ac7220e7a25e04f7d470c9a215697264f9921a3ae1a09d

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
59KB

MD5
665d36854d1db85330e1f16f7d9d676a

SHA1
a28fc155049c0293b0a5610cadabada1d3a99d0c

SHA256
f4d8dd9f84e7eb1910ce7df9478e52abf1005e8bc4e28d124b331bbed2307ff9

SHA512
3bb9304ae777106a85558e3683e57bc2ce7662526ba70b851cd61d51bb551d55a380dd020931eb803e64c8295a7d8a37113c513be0537b8e20febb384024e9eb

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
59KB

MD5
8dc5c090722892eb442eff1a7b308bec

SHA1
eddea2baf292a875bf81041be53a7b3ce956d41d

SHA256
286fc3d0e992deefbb039c1b75f231c5205061c6ed5b5462af17ab088a84f87c

SHA512
3e44987279f2d49fb7a9f9e84490a190e2e7124d00f26c03edc830997a3c84ea5824519a7e8fa7239b56adbf902d5123e3d88ba02688a415f22ef2cea2e57a2d

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
59KB

MD5
99e2fc2e0e07a8c37bcbae048b4d5dd8

SHA1
362ff1ed4befc9b369e59e8368a1ef8bd3a0f3cd

SHA256
29f35bbc082739e9845679b500feabc7442a997bd2676c74a7ca5e019760e678

SHA512
c579c77fba9b6d6d84d0deff2919e6cacb61dd335df5e13a840ef88dff1c9975e8d315510744547a8229bddd3ea5c73e80329bbacdee67008afe780b3b065847

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
59KB

MD5
f26976ef7328b60572a74152c4b0d092

SHA1
1bb4843b87ae501320e8281049ca9c72ca2af804

SHA256
1585f883d029a5619c38d00698f588869584ec2b0dd97351ab30e70632802fd7

SHA512
0afc58ffda33938e6eb5737cfc030bfd5f39482cbe0e001baf105b3c0944bb03234f488130838a0baa02339473c287730c33a855aab7cdb5ee1d071510fd681b

Download Submit
memory/824-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/824-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/896-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/896-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1096-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1096-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-1-0x0000000000433000-0x0000000000434000-memory.dmp

Filesize
4KB

Download
memory/2340-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-77-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4148-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4148-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-86-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads