6d7c1caf44dfe5b03b9c466fe8aeed0c336e20233ae06a0aaf788cbf868463d7

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d7c1caf44dfe5b03b9c466fe8aeed0c336e20233ae06a0aaf788cbf868463d7N.exe
Size

352KB
MD5

da50cfd84f86dfe4279ada288e0e15a0
SHA1

176bb6c87a2b4f0e39f8cdd7afb4fdec089536f8
SHA256

6d7c1caf44dfe5b03b9c466fe8aeed0c336e20233ae06a0aaf788cbf868463d7
SHA512

5461e975b52a6a0aef163ab5ec756801c888941032f07708351cf4443c06fae74c9f702e540ca0b487695cf11f76f8f4db33b159dbfbceff14de26581e90fd62
SSDEEP

6144:V47jal16z9iWis/j9SrJz9ieis/j9SrJz9is/j9SrJwWisp:O7mnsUasUqsU6sp

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6d7c1caf44dfe5b03b9c466fe8aeed0c336e20233ae06a0aaf788cbf868463d7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6d7c1caf44dfe5b03b9c466fe8aeed0c336e20233ae06a0aaf788cbf868463d7N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe

Executes dropped EXE 12 IoCs

pid	Process
3216	Ceehho32.exe
4788	Chcddk32.exe
2792	Cjbpaf32.exe
976	Ddjejl32.exe
4176	Ddmaok32.exe
4000	Dobfld32.exe
1764	Ddonekbl.exe
2344	Dmgbnq32.exe
2448	Deokon32.exe
1944	Daekdooc.exe
612	Dgbdlf32.exe
5000	Dmllipeg.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	6d7c1caf44dfe5b03b9c466fe8aeed0c336e20233ae06a0aaf788cbf868463d7N.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	6d7c1caf44dfe5b03b9c466fe8aeed0c336e20233ae06a0aaf788cbf868463d7N.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	6d7c1caf44dfe5b03b9c466fe8aeed0c336e20233ae06a0aaf788cbf868463d7N.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1832	5000	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d7c1caf44dfe5b03b9c466fe8aeed0c336e20233ae06a0aaf788cbf868463d7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6d7c1caf44dfe5b03b9c466fe8aeed0c336e20233ae06a0aaf788cbf868463d7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	6d7c1caf44dfe5b03b9c466fe8aeed0c336e20233ae06a0aaf788cbf868463d7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6d7c1caf44dfe5b03b9c466fe8aeed0c336e20233ae06a0aaf788cbf868463d7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6d7c1caf44dfe5b03b9c466fe8aeed0c336e20233ae06a0aaf788cbf868463d7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6d7c1caf44dfe5b03b9c466fe8aeed0c336e20233ae06a0aaf788cbf868463d7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	6d7c1caf44dfe5b03b9c466fe8aeed0c336e20233ae06a0aaf788cbf868463d7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 3216	232	6d7c1caf44dfe5b03b9c466fe8aeed0c336e20233ae06a0aaf788cbf868463d7N.exe	82
PID 232 wrote to memory of 3216	232	6d7c1caf44dfe5b03b9c466fe8aeed0c336e20233ae06a0aaf788cbf868463d7N.exe	82
PID 232 wrote to memory of 3216	232	6d7c1caf44dfe5b03b9c466fe8aeed0c336e20233ae06a0aaf788cbf868463d7N.exe	82
PID 3216 wrote to memory of 4788	3216	Ceehho32.exe	83
PID 3216 wrote to memory of 4788	3216	Ceehho32.exe	83
PID 3216 wrote to memory of 4788	3216	Ceehho32.exe	83
PID 4788 wrote to memory of 2792	4788	Chcddk32.exe	84
PID 4788 wrote to memory of 2792	4788	Chcddk32.exe	84
PID 4788 wrote to memory of 2792	4788	Chcddk32.exe	84
PID 2792 wrote to memory of 976	2792	Cjbpaf32.exe	85
PID 2792 wrote to memory of 976	2792	Cjbpaf32.exe	85
PID 2792 wrote to memory of 976	2792	Cjbpaf32.exe	85
PID 976 wrote to memory of 4176	976	Ddjejl32.exe	86
PID 976 wrote to memory of 4176	976	Ddjejl32.exe	86
PID 976 wrote to memory of 4176	976	Ddjejl32.exe	86
PID 4176 wrote to memory of 4000	4176	Ddmaok32.exe	87
PID 4176 wrote to memory of 4000	4176	Ddmaok32.exe	87
PID 4176 wrote to memory of 4000	4176	Ddmaok32.exe	87
PID 4000 wrote to memory of 1764	4000	Dobfld32.exe	88
PID 4000 wrote to memory of 1764	4000	Dobfld32.exe	88
PID 4000 wrote to memory of 1764	4000	Dobfld32.exe	88
PID 1764 wrote to memory of 2344	1764	Ddonekbl.exe	89
PID 1764 wrote to memory of 2344	1764	Ddonekbl.exe	89
PID 1764 wrote to memory of 2344	1764	Ddonekbl.exe	89
PID 2344 wrote to memory of 2448	2344	Dmgbnq32.exe	90
PID 2344 wrote to memory of 2448	2344	Dmgbnq32.exe	90
PID 2344 wrote to memory of 2448	2344	Dmgbnq32.exe	90
PID 2448 wrote to memory of 1944	2448	Deokon32.exe	91
PID 2448 wrote to memory of 1944	2448	Deokon32.exe	91
PID 2448 wrote to memory of 1944	2448	Deokon32.exe	91
PID 1944 wrote to memory of 612	1944	Daekdooc.exe	92
PID 1944 wrote to memory of 612	1944	Daekdooc.exe	92
PID 1944 wrote to memory of 612	1944	Daekdooc.exe	92
PID 612 wrote to memory of 5000	612	Dgbdlf32.exe	93
PID 612 wrote to memory of 5000	612	Dgbdlf32.exe	93
PID 612 wrote to memory of 5000	612	Dgbdlf32.exe	93

C:\Users\Admin\AppData\Local\Temp\6d7c1caf44dfe5b03b9c466fe8aeed0c336e20233ae06a0aaf788cbf868463d7N.exe
"C:\Users\Admin\AppData\Local\Temp\6d7c1caf44dfe5b03b9c466fe8aeed0c336e20233ae06a0aaf788cbf868463d7N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:232
- C:\Windows\SysWOW64\Ceehho32.exe
  C:\Windows\system32\Ceehho32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3216
- - C:\Windows\SysWOW64\Chcddk32.exe
    C:\Windows\system32\Chcddk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4788
  - - C:\Windows\SysWOW64\Cjbpaf32.exe
      C:\Windows\system32\Cjbpaf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
      - C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:612
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 404
        14⤵
        Program crash
        
        PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5000 -ip 5000
1⤵
PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ceehho32.exe

Filesize
352KB

MD5
7fa432df61ea4c395160121bf4526976

SHA1
2cd512f482f2f85736578ec36569bc30a6e51292

SHA256
427201e097cf3a84de67e49c5bb9a8b2ea58d3b0ca8f463d6229572c0bae0ad9

SHA512
d1b53e7947a5c34ad2b4b8157472586c857f944e8307c56d0195f6052955cbba411ec077682a178204b3025922d9bb45863a8550d62ca762cab87875ecf9e427

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
352KB

MD5
9769aeba04b27a8c47fc4b6ef87f7043

SHA1
9164f83d2660f851353af7ed5c2d8fbbc02d5896

SHA256
fcd27f4f9b422dbd94843533f459c0af961c9264a833965c5216c584790cccea

SHA512
fcf4e42456e33cca2b1ea67513d3a45b69be0754ae245bc21c639acce7beb88670061de673a3bd8c008daf410b3e8c9d8137e1bd091f9e2cf7ad21843fb599d2

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
352KB

MD5
f452168a4b00d6e527b5789dc02f3201

SHA1
7cad0590abcab1277b24a32f33f554e28e0f9a03

SHA256
b69e59e9ed7f5a9019c9c70c2fae7d2b44326a3aaf89e401578c417fb2682300

SHA512
bbdb767486459f425545d7c5e0182eaad8eb884e439568b295098f51caa0cdb0221c7dfbda2900d61c1014d2b36886bb532d41b19976b746f68d1a792cae89cf

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
352KB

MD5
7fbcdc19f2fa3c9845697d02b7efb38c

SHA1
ad3ea1258980b3b022f4147d4abc50986248f586

SHA256
c6c3726f033daf4a1cc8b9684dd3cf0f02dba7dc035070cae4f175dd5d6b1732

SHA512
3f40c19a41fda215aa13545dfc3ef5db2d589e03994c5f8c2e3178d817b0e23b802a8a114aa71b6bda51c6a392c8b5ae9bbc6bfb1259f7c262b98c4a1601c7bf

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
352KB

MD5
233c58730184e70750aa9ed1cc324b8f

SHA1
b97354d5173aa27346574c572190006df22509dc

SHA256
ed3307562a2d0c086e9de1ab1e5960e92eef808ba7e4df18224bbd4e5bdc1f75

SHA512
a280fb746d48b4cae5166f8dea718af7b6c0602b43f34bd2bf9608d65069551aa1b45ad406617e74a3846cbd09cd7a009a7238e4847080d063477df9a4fc742f

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
352KB

MD5
1412751eca98dc697bc8149a4c576e62

SHA1
e5b3c045c1fb82cd4db4314d127a00efe3f7fac8

SHA256
a333de7e6bac9ff8d4697ea1dd031efe17b4dc675509c5d6be66dda71398c520

SHA512
09425585d91c9813d686b657e54226ce0066cb3508f9fda6915efa505fcfdb4f1c7ba853bbb84b4bb78003fbf90e8084d550b98f762a98f9ab8455f55132a0dd

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
352KB

MD5
1e065ebb6d6c2cbfdc669ef5741abec9

SHA1
daac5d4c3648f653382537e701de703653f64b6a

SHA256
c6d4133eb188788eff84649877a21a93839253f264ad152b89d092f22fa8a7ba

SHA512
2dfba22a95d4d232d383a307baa2229043684e21a71da987a8fcdb611b09fde469d07ae939dd442c99c2b1d97ead5322815ca41ce13be15579a4a4f6f56d7cac

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
352KB

MD5
69e28bba90db0539d58145424b42e432

SHA1
ec812231355de5009a9cfd6a6f77135a267a3d57

SHA256
aa5594d8c380eba05721f6584519f5b0de49408215078043f921ef5124568cdc

SHA512
b683db35a159eb919fc86914c945958ad26b4f6b2af70498e62d9cbb8de03661826f1716d0b524878d6f9ef7e263e36718fcd566d822cbe08e4c995b450ebb5a

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
352KB

MD5
2d2c81d8e68f38df84fc028985f2b364

SHA1
2dc1bcaa3dce93a16d87a5fec3dc587bdf559929

SHA256
9e0b1ba394f8bf936ee601e8a201cdc60888129e491e22411916fc3e9710eb65

SHA512
d68fbf403052b75d75e173bfc17ce090b0cc8425c3bffd0f0c0fddb86afcfaf9d0845144803e964cf7e74917b61461aec640d99df5b46ccf38b9a0121c268a6f

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
352KB

MD5
1ad269ed1c59724e4ad6f0de8c284947

SHA1
3085d192299da1a39649ebfb7e95bc15e5f4f2a8

SHA256
52e0f41bb43719f3cf596f6a739be7e0eb9e4028e2126c1a4d95292154ef9134

SHA512
be7b9909f0f4afcf3b2f01710b982f8bf33577c127ea111fae62a428923cab9e9db9c0058432ef527846960f00a0b0fdfd83d41c6a197c5d79d6c7b8797a9dfa

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
352KB

MD5
50b3920e359d2c66e1df99c6247c31a4

SHA1
91987048ecda48d0aa9e4db9abfdd9505d22ae94

SHA256
a492473d55077967dfce285bbb466de9bf5c7190f6168bc25c28f9beaff6ad7b

SHA512
de79f162cd788147b6031e93ad93c3371b56a5f51d3cd9e6dba49b7062cbbc82b165fb872557683a254cdb4ddeb4a2d835bbc98df702a8686aedc5c6eb097e6d

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
352KB

MD5
68647cfd146a78dedc697f415ed0ca22

SHA1
05e46847f82f5f8aa70b8a63a955b8a4fabb980f

SHA256
5157d05c6c66900856b51d560c7ee0793be6f658a8613a7bc4ab4b29260c6c5d

SHA512
7fff1db71dd0c479d8a4e4e6794df2ede85ceaf48b0811e43bda9d6d9143e348e493c7a2410f783b26b1e453fe4c4f1991f051ae0e451b6125472befbd151902

Download Submit
memory/232-122-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/232-0-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/232-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/612-101-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/612-88-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/976-33-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/976-114-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1764-109-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1764-57-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1944-81-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1944-103-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2344-65-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2344-106-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2448-108-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2448-72-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2792-25-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2792-116-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3216-120-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3216-9-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4000-123-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4000-49-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4176-112-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4176-40-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4788-17-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4788-118-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5000-96-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5000-100-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads