Analysis

  • max time kernel
    94s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 19:45

General

  • Target

    1084bf17e6aa3b7cfa087eb67a48c9879be9ebe7acf2138850cc29407ae039f3N.exe

  • Size

    406KB

  • MD5

    aea130e1789c7aa263bb2aa81102cc20

  • SHA1

    2f62ed9b02026bd5d884cc842b2249918e74aa86

  • SHA256

    1084bf17e6aa3b7cfa087eb67a48c9879be9ebe7acf2138850cc29407ae039f3

  • SHA512

    8dace1689dda0aa2e850b1f67238df0bafc7125330f8813971893ceb945f40ee95279820e1a76b6bbc2929e49af2f4ea6fdc3f330c0b4b5e7d3a2ecbf9771dd7

  • SSDEEP

    6144:esaU5U5Xj1XH5U5Xj83XH5U1XH5U5Xj8s5DXH5U5qXH5XXH5U5oXH:ZMp3Ma3M3MvD3Mq3B3Mo3

Score
10/10

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in System32 directory 27 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 30 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1084bf17e6aa3b7cfa087eb67a48c9879be9ebe7acf2138850cc29407ae039f3N.exe
    "C:\Users\Admin\AppData\Local\Temp\1084bf17e6aa3b7cfa087eb67a48c9879be9ebe7acf2138850cc29407ae039f3N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4660
    • C:\Windows\SysWOW64\Calhnpgn.exe
      C:\Windows\system32\Calhnpgn.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1144
      • C:\Windows\SysWOW64\Dfiafg32.exe
        C:\Windows\system32\Dfiafg32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1520
        • C:\Windows\SysWOW64\Dopigd32.exe
          C:\Windows\system32\Dopigd32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4408
          • C:\Windows\SysWOW64\Danecp32.exe
            C:\Windows\system32\Danecp32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:4344
            • C:\Windows\SysWOW64\Ddmaok32.exe
              C:\Windows\system32\Ddmaok32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:1924
              • C:\Windows\SysWOW64\Deokon32.exe
                C:\Windows\system32\Deokon32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:5100
                • C:\Windows\SysWOW64\Dmjocp32.exe
                  C:\Windows\system32\Dmjocp32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2548
                  • C:\Windows\SysWOW64\Deagdn32.exe
                    C:\Windows\system32\Deagdn32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:492
                    • C:\Windows\SysWOW64\Dmllipeg.exe
                      C:\Windows\system32\Dmllipeg.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1116
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 404
                        11⤵
                        • Program crash
                        PID:1240
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1116 -ip 1116
    1⤵
      PID:3320

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\Calhnpgn.exe

            Filesize

            406KB

            MD5

            60ef90680176ac98ac005952169bcf1b

            SHA1

            f864147af3e40433940944598e2a47109c6adfc7

            SHA256

            55a564c19ecf5699dc5e01be490a8ab940f1032da2028dd29387536c42bf48ac

            SHA512

            642c80f8c3f625db5b5d733ea36003f7700cd96f3dfa1dc4ba44cbc6bd499763f8445d5b077f86abe2a7e627175ed0f34faac90f32fef08794f4253e07c43ec6

          • C:\Windows\SysWOW64\Danecp32.exe

            Filesize

            406KB

            MD5

            566fb22b89f63322678acdfecefae6b2

            SHA1

            d3351b4932116dbe8d14f9ac1af2cbbefefe8c01

            SHA256

            32bfe3b6cdc054a2aecabe50e773c772fc6425db17ee4959df35d45511ef9728

            SHA512

            ef5db4fe46c0b2618dfaacb17dee0049b9701e9dd472669e887874351249fac7201d7ec28ae1742bc1c77f420131368ece053161831714503a469fcd1b77b48b

          • C:\Windows\SysWOW64\Ddmaok32.exe

            Filesize

            406KB

            MD5

            63bcf413daa6e0862161cd52e3fe8590

            SHA1

            2b7283f2c12fa78a4e61dc19cf441072070df54d

            SHA256

            e48535021ba659e34732f91652effec27172d3c4acec48761a61174d3cb9ef89

            SHA512

            180ab8b321dd7713e14228926d06d85eefef7d059437c3904c619e63633c8066f4402d63c0c07e2956117bfbd932e28de53cc8c30841f81770a74906b74d396d

          • C:\Windows\SysWOW64\Deagdn32.exe

            Filesize

            406KB

            MD5

            479f175b0bb79a8c9634821c575e715a

            SHA1

            3a5ec0bd564377e0255448bf80b30b0593e824cb

            SHA256

            317138afb87fd75e99686bd82f7b78173ea30cad4836d5cc5d15724050674edf

            SHA512

            55e5ed927801005f5999fd27333412966873e844f736256b8e2fc62ad791981a04bdba2e6f8421a2a20756a6c062e331674effaedf7b0160f760228687962ade

          • C:\Windows\SysWOW64\Deokon32.exe

            Filesize

            406KB

            MD5

            946a6265e4f6c6680cd711e156d5632c

            SHA1

            22eb813dff8b6a0a91b4fdc03a8504361e0846df

            SHA256

            7f4643309449f2563c511a59573ba5903699af6b92f6ea1a0d3131908b085b85

            SHA512

            0ae2a6a16ae485518403c0261cecd76e2696ca149e1a5a5abdcac01f36d4657167e9237e6957d43fcd5b028d086aff3e08249d1bc460b82527d0a8ecf88a912a

          • C:\Windows\SysWOW64\Dfiafg32.exe

            Filesize

            406KB

            MD5

            f48229a3114974f99bfd5e0d57a6fce1

            SHA1

            e6f4fbb34a061a5e5dff13d95afbc83cd798178b

            SHA256

            7a62e063df47242acee4013f1805b2a2878079a19f774a9e10b9546247d5a5a9

            SHA512

            071ad881639ed2d6498874c125568fbdfca245a268b73908a85f87c51112a8952c44fbac891d2072aaa7cf4fc65fd006ca4cc6510a8400a89d12442465aa1751

          • C:\Windows\SysWOW64\Dmjocp32.exe

            Filesize

            406KB

            MD5

            552a588a0db14b277b197e7fecef19ba

            SHA1

            3a5ad7ff4a10fb0e64960b2756970e49bf40e904

            SHA256

            395010f0c5f1c370768af60cabd92b30bc94e3efa1c4adf44db4bcd5f6394efc

            SHA512

            ca86e4af6ace914c858cf1b923429b4fe43dca765d2dab85253260539ff0dbac13cbc988acac24535ab05153761b3009bf023a0d714fc86f0c14372b8b8d4926

          • C:\Windows\SysWOW64\Dmllipeg.exe

            Filesize

            406KB

            MD5

            a1ac72e5a2c19e2dae2438214e81498d

            SHA1

            0b7c591b9da26d3ee0de5d35cbd72c9854835fe3

            SHA256

            928e89b8254ae1973ee2979bf6cb8b90baea7a4a25f01ae592c02f1d261e02a9

            SHA512

            69a5ad7330d489dbcc9ec7dea00ea0bdfdc481c3efc07d35b64d6a19a5833accc16238ac0ddf6cebfcf539172968295d073767ed24a3689d976abafcb1d45545

          • C:\Windows\SysWOW64\Dopigd32.exe

            Filesize

            406KB

            MD5

            04286106e576b39767aa86f8114fe745

            SHA1

            7f897164082168c3024991a81aa3a69448f40c9a

            SHA256

            7eb7519d7b89feba7fa89e289afe9544359427e53dd21e018daea29ff58d22a1

            SHA512

            40ec4073161284cde9d04f13c6031ef1f3e134f88b7185843ee1e0323baebdeca0492102ef718dcd1685a9d694cd9db579fda8eec2f37073cae8da1e45237325

          • memory/492-65-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/492-77-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/1116-76-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/1116-73-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/1144-9-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/1144-90-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/1520-17-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/1520-88-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/1924-83-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/1924-40-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/2548-56-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/2548-79-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/4344-33-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/4344-85-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/4408-93-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/4408-32-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/4660-92-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/4660-0-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/4660-1-0x0000000000431000-0x0000000000432000-memory.dmp

            Filesize

            4KB

          • memory/5100-81-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/5100-49-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB