a2c8cecd44b208d3d1ceb26855fb375d5e04309931486463782e38c6ef1ea358

General

Target

a2c8cecd44b208d3d1ceb26855fb375d5e04309931486463782e38c6ef1ea358.exe
Size

200KB
MD5

88e999ecc8ae895c1aeec91c3c73cdc4
SHA1

66f70e66d569ec289f5090a6fa9c385c24c76cbc
SHA256

a2c8cecd44b208d3d1ceb26855fb375d5e04309931486463782e38c6ef1ea358
SHA512

482a93ed6f5f7a16bbc460125e6a9ec56326af1b8303e83ebefa905a358ede7c6654f5dfc05b4fb8d564b691a679cade160f13edb0ebc3a6630fe97ffafb2e41
SSDEEP

6144:W8A7Knvmb7/D26rfo9Am26fBXMZ8R3FXjrCTYTQdq4qJUGQBSpYCbw6I:jA7Knvmb7/D26zZ8R3FXjrC8T8q4qJgP

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

a2c8cecd44b208d3d1ceb26855fb375d5e04309931486463782e38c6ef1ea358.exedgpaw.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	a2c8cecd44b208d3d1ceb26855fb375d5e04309931486463782e38c6ef1ea358.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	dgpaw.exe

Executes dropped EXE 1 IoCs

Processes:

dgpaw.exe

pid process

2324 dgpaw.exe

pid	process
2324	dgpaw.exe

Loads dropped DLL 2 IoCs

Processes:

a2c8cecd44b208d3d1ceb26855fb375d5e04309931486463782e38c6ef1ea358.exe

pid	process
2224	a2c8cecd44b208d3d1ceb26855fb375d5e04309931486463782e38c6ef1ea358.exe
2224	a2c8cecd44b208d3d1ceb26855fb375d5e04309931486463782e38c6ef1ea358.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dgpaw.exea2c8cecd44b208d3d1ceb26855fb375d5e04309931486463782e38c6ef1ea358.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /h"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /W"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /S"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /e"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /m"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /N"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /I"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /s"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /b"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /H"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /o"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /t"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /D"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /J"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /P"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /E"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /b"	a2c8cecd44b208d3d1ceb26855fb375d5e04309931486463782e38c6ef1ea358.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /Q"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /p"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /G"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /T"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /R"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /B"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /K"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /l"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /n"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /z"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /F"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /c"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /j"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /u"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /V"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /Y"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /Z"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /a"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /q"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /g"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /k"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /x"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /d"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /X"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /U"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /f"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /O"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /M"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /C"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /L"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /w"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /y"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /A"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /v"	dgpaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgpaw = "C:\\Users\\Admin\\dgpaw.exe /i"	dgpaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a2c8cecd44b208d3d1ceb26855fb375d5e04309931486463782e38c6ef1ea358.exedgpaw.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2c8cecd44b208d3d1ceb26855fb375d5e04309931486463782e38c6ef1ea358.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dgpaw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a2c8cecd44b208d3d1ceb26855fb375d5e04309931486463782e38c6ef1ea358.exedgpaw.exe

pid	process
2224	a2c8cecd44b208d3d1ceb26855fb375d5e04309931486463782e38c6ef1ea358.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe
2324	dgpaw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a2c8cecd44b208d3d1ceb26855fb375d5e04309931486463782e38c6ef1ea358.exedgpaw.exe

pid process

2224 a2c8cecd44b208d3d1ceb26855fb375d5e04309931486463782e38c6ef1ea358.exe
2324 dgpaw.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

a2c8cecd44b208d3d1ceb26855fb375d5e04309931486463782e38c6ef1ea358.exe

description	pid	process	target process
PID 2224 wrote to memory of 2324	2224	a2c8cecd44b208d3d1ceb26855fb375d5e04309931486463782e38c6ef1ea358.exe	dgpaw.exe
PID 2224 wrote to memory of 2324	2224	a2c8cecd44b208d3d1ceb26855fb375d5e04309931486463782e38c6ef1ea358.exe	dgpaw.exe
PID 2224 wrote to memory of 2324	2224	a2c8cecd44b208d3d1ceb26855fb375d5e04309931486463782e38c6ef1ea358.exe	dgpaw.exe
PID 2224 wrote to memory of 2324	2224	a2c8cecd44b208d3d1ceb26855fb375d5e04309931486463782e38c6ef1ea358.exe	dgpaw.exe

C:\Users\Admin\AppData\Local\Temp\a2c8cecd44b208d3d1ceb26855fb375d5e04309931486463782e38c6ef1ea358.exe
"C:\Users\Admin\AppData\Local\Temp\a2c8cecd44b208d3d1ceb26855fb375d5e04309931486463782e38c6ef1ea358.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224

C:\Users\Admin\dgpaw.exe
"C:\Users\Admin\dgpaw.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\dgpaw.exe

Filesize
200KB

MD5
24bfdb587d85adcbd15610c0d1e83def

SHA1
3a4332ccc9a385df43b4b38e589c610218804800

SHA256
2a247b6a75db3b767dde32252035ed3e1458ae440ca9a8900c152777c4791a77

SHA512
e5b89ddcf5ca97d5543f3f874c2f9388c15afec089626186441ba5a037f43d770df19084f9ccfd4d8046229dcff3f79395b893ec8e9f43d783da86a912413498

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads