Analysis
-
max time kernel
92s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 08:01
Static task
static1
Behavioral task
behavioral1
Sample
dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe
Resource
win10v2004-20241007-en
General
-
Target
dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe
-
Size
92KB
-
MD5
3ef54d9e28dcf7ed93875d7230f1cd70
-
SHA1
4ce6574d4c945e8ed3af05e50235f85c31b855f5
-
SHA256
dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327
-
SHA512
a6bef67082c6c69c8b4d80af53bc71bbc51d46d5b10eb256887e49229809fd94b639c12d304d90efafbbc4eb4394d214b3cb0f0a3659903bc5d15d5515e29a6c
-
SSDEEP
1536:Gy4MaquZMnClx5000cLR8mr982LKcJ9VqDlzVxyh+CbxMQgn:GOaqSlx5000cL2m7hJ9IDlRxyhTbhgn
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhhnpjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dobfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfnjafap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkifae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmgki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dogogcpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhhnpjmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Delnin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daconoae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deagdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dopigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danecp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dobfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Delnin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Danecp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dopigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daconoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deagdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgbdlf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfajjoj.exe -
Berbew family
-
Executes dropped EXE 14 IoCs
pid Process 2328 Dhfajjoj.exe 4148 Dopigd32.exe 3204 Danecp32.exe 3412 Dhhnpjmh.exe 4500 Dobfld32.exe 2468 Delnin32.exe 3416 Dfnjafap.exe 3140 Dkifae32.exe 976 Daconoae.exe 3116 Dhmgki32.exe 1576 Dogogcpo.exe 4044 Deagdn32.exe 4396 Dgbdlf32.exe 1852 Dmllipeg.exe -
Drops file in System32 directory 42 IoCs
description ioc Process File created C:\Windows\SysWOW64\Delnin32.exe Dobfld32.exe File opened for modification C:\Windows\SysWOW64\Delnin32.exe Dobfld32.exe File opened for modification C:\Windows\SysWOW64\Dhmgki32.exe Daconoae.exe File created C:\Windows\SysWOW64\Gfghpl32.dll Deagdn32.exe File opened for modification C:\Windows\SysWOW64\Dhfajjoj.exe dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe File created C:\Windows\SysWOW64\Dopigd32.exe Dhfajjoj.exe File created C:\Windows\SysWOW64\Hcjccj32.dll Dhfajjoj.exe File opened for modification C:\Windows\SysWOW64\Dhhnpjmh.exe Danecp32.exe File created C:\Windows\SysWOW64\Dhhnpjmh.exe Danecp32.exe File created C:\Windows\SysWOW64\Gmcfdb32.dll Dobfld32.exe File created C:\Windows\SysWOW64\Dhmgki32.exe Daconoae.exe File created C:\Windows\SysWOW64\Lbabpnmn.dll Dhmgki32.exe File created C:\Windows\SysWOW64\Agjbpg32.dll Dopigd32.exe File created C:\Windows\SysWOW64\Dobfld32.exe Dhhnpjmh.exe File created C:\Windows\SysWOW64\Alcidkmm.dll Dhhnpjmh.exe File opened for modification C:\Windows\SysWOW64\Dkifae32.exe Dfnjafap.exe File opened for modification C:\Windows\SysWOW64\Dogogcpo.exe Dhmgki32.exe File opened for modification C:\Windows\SysWOW64\Deagdn32.exe Dogogcpo.exe File opened for modification C:\Windows\SysWOW64\Dgbdlf32.exe Deagdn32.exe File created C:\Windows\SysWOW64\Nbgngp32.dll Danecp32.exe File created C:\Windows\SysWOW64\Dfnjafap.exe Delnin32.exe File created C:\Windows\SysWOW64\Poahbe32.dll Delnin32.exe File created C:\Windows\SysWOW64\Daconoae.exe Dkifae32.exe File created C:\Windows\SysWOW64\Danecp32.exe Dopigd32.exe File opened for modification C:\Windows\SysWOW64\Danecp32.exe Dopigd32.exe File created C:\Windows\SysWOW64\Fpdaoioe.dll Daconoae.exe File created C:\Windows\SysWOW64\Dmllipeg.exe Dgbdlf32.exe File created C:\Windows\SysWOW64\Eokchkmi.dll dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe File opened for modification C:\Windows\SysWOW64\Dopigd32.exe Dhfajjoj.exe File created C:\Windows\SysWOW64\Pdheac32.dll Dfnjafap.exe File created C:\Windows\SysWOW64\Dogogcpo.exe Dhmgki32.exe File created C:\Windows\SysWOW64\Dgbdlf32.exe Deagdn32.exe File created C:\Windows\SysWOW64\Dkifae32.exe Dfnjafap.exe File created C:\Windows\SysWOW64\Oammoc32.dll Dkifae32.exe File created C:\Windows\SysWOW64\Deagdn32.exe Dogogcpo.exe File created C:\Windows\SysWOW64\Kahdohfm.dll Dogogcpo.exe File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe Dgbdlf32.exe File created C:\Windows\SysWOW64\Kngpec32.dll Dgbdlf32.exe File created C:\Windows\SysWOW64\Dhfajjoj.exe dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe File opened for modification C:\Windows\SysWOW64\Dobfld32.exe Dhhnpjmh.exe File opened for modification C:\Windows\SysWOW64\Dfnjafap.exe Delnin32.exe File opened for modification C:\Windows\SysWOW64\Daconoae.exe Dkifae32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1748 1852 WerFault.exe 100 -
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danecp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbdlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dopigd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhnpjmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Delnin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogogcpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhfajjoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobfld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkifae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daconoae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deagdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfnjafap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhmgki32.exe -
Modifies registry class 45 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll" Dobfld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daconoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll" Deagdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deagdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Danecp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfnjafap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll" Dhhnpjmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll" Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll" Dogogcpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhhnpjmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll" Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfnjafap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dogogcpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll" Dopigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll" Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll" Daconoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhmgki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deagdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" Dgbdlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll" Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daconoae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dopigd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll" dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll" Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhfajjoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dobfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dobfld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhhnpjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll" Delnin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dopigd32.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2328 1724 dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe 85 PID 1724 wrote to memory of 2328 1724 dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe 85 PID 1724 wrote to memory of 2328 1724 dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe 85 PID 2328 wrote to memory of 4148 2328 Dhfajjoj.exe 86 PID 2328 wrote to memory of 4148 2328 Dhfajjoj.exe 86 PID 2328 wrote to memory of 4148 2328 Dhfajjoj.exe 86 PID 4148 wrote to memory of 3204 4148 Dopigd32.exe 87 PID 4148 wrote to memory of 3204 4148 Dopigd32.exe 87 PID 4148 wrote to memory of 3204 4148 Dopigd32.exe 87 PID 3204 wrote to memory of 3412 3204 Danecp32.exe 88 PID 3204 wrote to memory of 3412 3204 Danecp32.exe 88 PID 3204 wrote to memory of 3412 3204 Danecp32.exe 88 PID 3412 wrote to memory of 4500 3412 Dhhnpjmh.exe 89 PID 3412 wrote to memory of 4500 3412 Dhhnpjmh.exe 89 PID 3412 wrote to memory of 4500 3412 Dhhnpjmh.exe 89 PID 4500 wrote to memory of 2468 4500 Dobfld32.exe 91 PID 4500 wrote to memory of 2468 4500 Dobfld32.exe 91 PID 4500 wrote to memory of 2468 4500 Dobfld32.exe 91 PID 2468 wrote to memory of 3416 2468 Delnin32.exe 92 PID 2468 wrote to memory of 3416 2468 Delnin32.exe 92 PID 2468 wrote to memory of 3416 2468 Delnin32.exe 92 PID 3416 wrote to memory of 3140 3416 Dfnjafap.exe 93 PID 3416 wrote to memory of 3140 3416 Dfnjafap.exe 93 PID 3416 wrote to memory of 3140 3416 Dfnjafap.exe 93 PID 3140 wrote to memory of 976 3140 Dkifae32.exe 94 PID 3140 wrote to memory of 976 3140 Dkifae32.exe 94 PID 3140 wrote to memory of 976 3140 Dkifae32.exe 94 PID 976 wrote to memory of 3116 976 Daconoae.exe 96 PID 976 wrote to memory of 3116 976 Daconoae.exe 96 PID 976 wrote to memory of 3116 976 Daconoae.exe 96 PID 3116 wrote to memory of 1576 3116 Dhmgki32.exe 97 PID 3116 wrote to memory of 1576 3116 Dhmgki32.exe 97 PID 3116 wrote to memory of 1576 3116 Dhmgki32.exe 97 PID 1576 wrote to memory of 4044 1576 Dogogcpo.exe 98 PID 1576 wrote to memory of 4044 1576 Dogogcpo.exe 98 PID 1576 wrote to memory of 4044 1576 Dogogcpo.exe 98 PID 4044 wrote to memory of 4396 4044 Deagdn32.exe 99 PID 4044 wrote to memory of 4396 4044 Deagdn32.exe 99 PID 4044 wrote to memory of 4396 4044 Deagdn32.exe 99 PID 4396 wrote to memory of 1852 4396 Dgbdlf32.exe 100 PID 4396 wrote to memory of 1852 4396 Dgbdlf32.exe 100 PID 4396 wrote to memory of 1852 4396 Dgbdlf32.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe"C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1852 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 40416⤵
- Program crash
PID:1748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1852 -ip 18521⤵PID:4256
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5deea790b067555ab96169caed39e7a49
SHA1356400540ad19a8e1755f86ad16540f4548de778
SHA256ec8b3005416d3295152098e08bf8175692d8c136f3115e65dab777e36cbb1a64
SHA512b3509b0926416872bc3689ae016a438c671c71db8bba8167842c666d858bcd8154a2c4df111c393258a54d616fc19f3b51ee6b9a9179d0ce6049dc86807f5d11
-
Filesize
92KB
MD51d509f0e563836cd63d88d119dc738a8
SHA1ee09d1ef7faf8a1855d63ea821c817f574dae478
SHA256f198c2061bae08f433245935be14e02ef046837a868b0be360f975312da27ccc
SHA512a27c30f92870996f096d33e1b3c0cecbe59c1d1bbdde516fd9f14fcb3b0562b3f24d45ed6dd64e237dd905bc1f8611c3019f5c03a2aaa0b378d37b32fc9c0a1c
-
Filesize
92KB
MD52be42037b34325da3e3e8be54b62dea4
SHA1bdbce7c82863472cf4b9eb90e069c25946ed227b
SHA2560f39ab61bf512174a41d0d393d11386938e37da276ae1844d54214bab9f9a279
SHA512719caa0fe3bdce1c86ac18b7634fd5a4c11f4280154caade7bc207bfa6bfa499adc0f720613665c9cc01a943341207a9bafd2d4770a948801688d8854993435e
-
Filesize
92KB
MD5a7c8c33a805c425e5f7ccde251dd64f4
SHA1ac97ff01a0fc9100a3d2eb8087f1c039364bcea8
SHA256393b5e8fd4404895ef46099f091a714809314c463a25f470c30b89cfd86d226f
SHA5126293cfdfad8a348d8cedafb862221df5d41969c0b8c210290eb28c3b0d48e7418de7f48f7b0353b2f156f6a4958760864d9842a471e4eb724c755482fe5141f7
-
Filesize
92KB
MD5dc7827c1dec0480f0624099cf37da927
SHA1687f371c199cc1163d79b2b868968b6fb3d0f255
SHA2562a064621a1fde850db882c403bf61f20b48ace52b0be5be66f74c9568eb86a24
SHA51299b45e77e4216136b87322633e051e5f15f6c28bb9cd5b839a53c351df63625d5e15abf0b98177f547a7832d6ff54ab5722e02331087f7cd9991c91becc358a5
-
Filesize
92KB
MD5e08d48794e26021f30a79a943b62b8f9
SHA173942a2356f4ebe72f4e0a693bb0f2f022160b20
SHA25667839a72c20d2e1b3715f5ae74ef9d985526dbc7e80e99073ce2da40e97c5775
SHA51213c464f66c61c34efca9bbd612e7d8f32c4a6c4345bea9accb5b6d279144c26b8df7457df030f95a113486c7dbc79fdeb68f17af1623129bb84bfc4cfe4a8770
-
Filesize
92KB
MD5f342d924e8cbf830c9be0e71ab58590e
SHA1ff052b9c1900cbe3f268a5f81a6e365aed451620
SHA256604b18928564738b0f3fafef826f63ca24d5c45472412fe52f2298f514c141b8
SHA512f5082a87f626add0cbe1f625f6f31e863811831eb5cf24590852cee342acb918e52634c70cfa5bb6a472e7461d143999228e1dea233afb4db15ed5a1d739f2ad
-
Filesize
92KB
MD5a270c814782febb20273f0f7e68d44ad
SHA1a7763dab6f250c810c162be3b3cf0d51eca5d199
SHA256bafeee9d404cc1c7929b380017371f8df241969572515237135c9971946c6fb5
SHA51206cff0e5d211d2d8b78d856b20914abd4e3bb8a56ebb1a98d5653396ddf3a0e64520e4a31d6df096fe4a7c38e37999eda49beabe754726d16ee4b23dca526653
-
Filesize
92KB
MD5573677e2230c06d6e2911041e3482a88
SHA1ed3f3ebd673cb6289876e49a29def3ebbed85e78
SHA256a39252a3d1c3e02ad24bdbc3cb46e82c8642f8f9ef2ab7309bd0a36480c030c7
SHA51246f0b6a719a02a3f0a7a933b97e497a9c7dc9ba3e226196198e0efb633da8fcee88d35a5c31a67be5ce4fa780ff9f487a1123331cfc9f737d7d25e8935970dc8
-
Filesize
92KB
MD59d933419bb2a3f2f25a06eee2db6e8cb
SHA11ff1303b6fc9ae298cb4f79134ef5179d303b792
SHA25674bfddd0544c5b2c7d15e4737a2d45d432bfb1dc2050547ece1f20d8762407a6
SHA512fd34547515587ddf2bce976da958343ec88638bffeeacf24637223d3b2d0451ee601dcf5e46ec8cd143896d00af5c8a19c4ff7ddd371073baeeb6f8322035c2f
-
Filesize
92KB
MD590e1366cb198a89a531bfd76b82b3f5e
SHA1c849aede0b7adf260840364acab26291651f2412
SHA256328524688e78364665cd1d7b8287ddb1aa9cbe7c93852f939c7529c41067f704
SHA512151f3c0302aaff1a230c61f7a69e64dbc8334d3bf9d82a72a36c92efb802ec1d966f2b5eba85a55614a05f389f509557d841f105dbadd75b7e274993187c439e
-
Filesize
92KB
MD5cc070b7f1c460ad4595d3e96216d6a2e
SHA1aae16491211e8564c28c9106521e8c20f5ae5afd
SHA256b40548b7fa9e9311c96c410d228bbc84684f936ebfd3f04bc2e59e2e4e2f25c5
SHA512d7f1fd2edf961d3b627916f3bab6dc5eaa50d5e61171675b2760e16e79862124d698f816feb2fea066bb3ed8eb074d00030b408dfe406091822f23de1bbb488c
-
Filesize
92KB
MD5a9b4a1e8338d991d88776454df78f82a
SHA124d07b746fd2620fa18f2c1dd146ca9c14a0fb8b
SHA256ea183a58767e5074e535b737ed2510eee5e591d9ac0f69033b29856f5e0e5d68
SHA5124ba636e0730352b1936134f1947c6b74cf374b07a91cdd898977deb0d28645e5726fac59b7297c45568f0de15a835cbcb0c878dd877c8f7b124e49ee7396b542
-
Filesize
92KB
MD5ba213b8716d7b8e1f9904083ef2f6c79
SHA1159a77c0ce34995685e3b5cfb408174511537d24
SHA256dda1f3b89c7062cbebb9fbf2eb84f3d05fd66e0ebdebc7b3ddf2b17f57b88be8
SHA512330b9c52f56313e17eabb35e4e8b75275dc1fce3534792473680628095426052e54bcde2c2b7cda31c9430b8f4f84bcb7beba2a80b925ce66e9ad5cc2759ac0f