Overview

overview

10

Static

static

3

9dc9d65dcb...c3.exe

windows7-x64

10

9dc9d65dcb...c3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 02:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9dc9d65dcbf54410e3b4ec049e12da63ae3e87c18d76a83ac631775eb2252cc3.exe

  • Size

    464KB

  • MD5

    ad20a65d1b15e1c7247eb4b9fa914f9b

  • SHA1

    a7026006236b9108efc383341d0cf7edcf02df21

  • SHA256

    9dc9d65dcbf54410e3b4ec049e12da63ae3e87c18d76a83ac631775eb2252cc3

  • SHA512

    fdb374f1f46fc8cf5666f40694ff91b32ed4417b954444f49d324c466e8cdd61253cec8a2c09c7fda6d47d861549d84e506347222873d5bab3520d23474a2343

  • SSDEEP

    6144:OrksVRHEOIIIPCn4EOIuIPJEOOcHTETKEOIIIPC:OrjZEVI2C4EVu2JEVcBEVI2C

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs
    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in System32 directory 27 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 30 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9dc9d65dcbf54410e3b4ec049e12da63ae3e87c18d76a83ac631775eb2252cc3.exe
    "C:\Users\Admin\AppData\Local\Temp\9dc9d65dcbf54410e3b4ec049e12da63ae3e87c18d76a83ac631775eb2252cc3.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\SysWOW64\Djgjlelk.exe
      C:\Windows\system32\Djgjlelk.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4848
      • C:\Windows\SysWOW64\Dmefhako.exe
        C:\Windows\system32\Dmefhako.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\Windows\SysWOW64\Delnin32.exe
          C:\Windows\system32\Delnin32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4084
          • C:\Windows\SysWOW64\Daekdooc.exe
            C:\Windows\system32\Daekdooc.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:3760
            • C:\Windows\SysWOW64\Dddhpjof.exe
              C:\Windows\system32\Dddhpjof.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:5072
              • C:\Windows\SysWOW64\Dhocqigp.exe
                C:\Windows\system32\Dhocqigp.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:1368
                • C:\Windows\SysWOW64\Dgbdlf32.exe
                  C:\Windows\system32\Dgbdlf32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2692
                  • C:\Windows\SysWOW64\Doilmc32.exe
                    C:\Windows\system32\Doilmc32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:4776
                    • C:\Windows\SysWOW64\Dmllipeg.exe
                      C:\Windows\system32\Dmllipeg.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2156
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 408
                        11⤵
                        • Program crash
                        PID:848
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2156 -ip 2156
    1⤵
      PID:3872

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Amjknl32.dll
      Filesize

      7KB

      MD5

      736db606719f31e65f4f8d4cb7b04d19

      SHA1

      d7cc511a0a5922a8ffcd3cff2bc251daf3815806

      SHA256

      e071f742c851f5980ea43473d60f1f27f512ee202aa85af1d9f7f6949e3723dd

      SHA512

      a033004670c618e4dd65cd8aadab358b01ca0ae2bb36e41e590afaa034512ececc0283527d8e7819755255b2447fbb8d8edca080dd181845595dcac6c9ee597e

      Download Submit

    • C:\Windows\SysWOW64\Daekdooc.exe
      Filesize

      464KB

      MD5

      aa03141fb409a46b8407cacb798e4491

      SHA1

      0ffd6010b759aa5e117d38b8f5936fe05aa09252

      SHA256

      83d8ecc16e5d32cace9e33fa838a4b0de955f54672d1da0f1520810a6eb73385

      SHA512

      5fe107ebce811e420ae024c3b86aaac402d63f688e41580d14401b6b6ba1f0040b61f21db0ff8c441f98ac111c90a4a51605931c82722901b23e06a4b0e35e81

      Download Submit

    • C:\Windows\SysWOW64\Dddhpjof.exe
      Filesize

      464KB

      MD5

      f0fffa62df2d0b391fea23c102e32d26

      SHA1

      2d5fa359db997fa1bdc7fad6c9ac9bee7585d1d6

      SHA256

      5a8a7aa957c393ff7d6c836b195d93f20fc6ca0a4387eb635f0de4adce42bbf1

      SHA512

      ce2a87627f43ffc85ac2b79d3ef7ed21df129fcc082464ca49326067cc5fa22a1b615e952ca6d1ea7ffe567b8804d38e93303cdd05b3b3750af3b3420a12bdd6

      Download Submit

    • C:\Windows\SysWOW64\Delnin32.exe
      Filesize

      464KB

      MD5

      bbfe38bc2ea44acae665453c9ce61a5b

      SHA1

      cb3664f95bbb73764c639997f9108872a096c792

      SHA256

      d6934ccf2dd2d08ccdf2a843345314419ab2020b537ac4e19120b619ca23a210

      SHA512

      65fae78197e3a16048b7c3c6aba77c27e54b0525af9568f35accd8976633485b4192f5a23e3336f9a996cdfece3a4905d56596fa77ecdbc8bc6b14d63f474994

      Download Submit

    • C:\Windows\SysWOW64\Dgbdlf32.exe
      Filesize

      464KB

      MD5

      2e77085d93fbae214576f14f6d23f8c9

      SHA1

      5eefe124b75a53eaadb77da6e5253d40f98b197f

      SHA256

      d8b88a689ffe777f5bf1ec612fe34a60ab5f68225f7e3eccd6131cde0f4549c0

      SHA512

      bfa9fcd151df361a786f86b66c91b304337463c25dafb746438c197fdfa235b479745b0d06ed51c226ff1a6dccf533f5186de21e6bcb66775b3c6c162309e239

      Download Submit

    • C:\Windows\SysWOW64\Dhocqigp.exe
      Filesize

      464KB

      MD5

      a715a5f57bbff469924947860b378439

      SHA1

      5778832021e3897d273d65a24a08b46c13924df5

      SHA256

      d00ea45350476458a6854b095ed49bd6aa71931655841535892da022ec24ebca

      SHA512

      8eb79837e092054ad86b6cf7902693e41770f98eaa7b4f6731005a1b1332601ec3477b0ff0377ec33a7664d5f62dfd1d0948bf9101046d31f6c873062bbede9b

      Download Submit

    • C:\Windows\SysWOW64\Djgjlelk.exe
      Filesize

      464KB

      MD5

      f5913de75e28c00605128cae9087b7d8

      SHA1

      0c59bc9b6e5062c32cde707bae1958278a2a245e

      SHA256

      1dab187b04d64aee619e00d988775f9f51c6608c424e1f67ef853e3d1a6d810d

      SHA512

      580da16986bdd511a6be2405a9d0bb0e82baae0215d0844ee17c8d4703ecac6293aa3f2cb61b127a4b687b8615cc694fb8e0f431c33598eff0abd3e82290fe5b

      Download Submit

    • C:\Windows\SysWOW64\Dmefhako.exe
      Filesize

      464KB

      MD5

      a796f53d42f14a02d90b0c7627f86806

      SHA1

      21b530ec1fe7f7961364e448c852a7fe75b67949

      SHA256

      ec45e7854237bc81634d570dbe0061d9b95e1b5abef7be38ba96925c456fb623

      SHA512

      66abbdb5fae0a31a6f61d99a0520d11738d5ab76fbe66e04e0747ce11472856db91839809de2e4bef531407c0b1bb1a165a7f70d01c07b41f8b4eb9be9a596c8

      Download Submit

    • C:\Windows\SysWOW64\Dmllipeg.exe
      Filesize

      464KB

      MD5

      8042b5d4504c1d9cd5b32a75b17200fd

      SHA1

      f096b55924f8d8c7ac504404627c4203b02cd18b

      SHA256

      88434c2ef657c1ffd93bef3db2d53f3b41dd90b0fff9c130328b9d65d824aca5

      SHA512

      6b86d1ad4d39976880e0fe157dfef759bb1924aa575ea6acd603f66b2e5db8ad0c9d48cd1a39928904be6f5407c72ba97dfd98ee58721e614cb717911704d2a4

      Download Submit

    • C:\Windows\SysWOW64\Doilmc32.exe
      Filesize

      464KB

      MD5

      a42de77440ebd15a76384be5df167cfe

      SHA1

      015cf5672a9bcc2c3c27984fa12c2a745904b3fd

      SHA256

      26bc9ece59e218b9115becea0a7b01b4a2ccc5d2feda08a62323dd2bf9de7398

      SHA512

      95734978698fa3fc7235a6c117f89a5b86c060a1eaab86c5ea703693c806dcc3da3554ab6400441e28b872f2ad15e579a21e37ba618f1ffbd37e7fc22b48ca65

      Download Submit

    • memory/1368-48-0x0000000000400000-0x000000000049D000-memory.dmp

      Filesize

      628KB

      Download

    • memory/1368-82-0x0000000000400000-0x000000000049D000-memory.dmp

      Filesize

      628KB

      Download

    • memory/1708-0-0x0000000000400000-0x000000000049D000-memory.dmp

      Filesize

      628KB

      Download

    • memory/1708-92-0x0000000000400000-0x000000000049D000-memory.dmp

      Filesize

      628KB

      Download

    • memory/2156-72-0x0000000000400000-0x000000000049D000-memory.dmp

      Filesize

      628KB

      Download

    • memory/2156-75-0x0000000000400000-0x000000000049D000-memory.dmp

      Filesize

      628KB

      Download

    • memory/2692-60-0x0000000000400000-0x000000000049D000-memory.dmp

      Filesize

      628KB

      Download

    • memory/2692-78-0x0000000000400000-0x000000000049D000-memory.dmp

      Filesize

      628KB

      Download

    • memory/2996-16-0x0000000000400000-0x000000000049D000-memory.dmp

      Filesize

      628KB

      Download

    • memory/2996-90-0x0000000000400000-0x000000000049D000-memory.dmp

      Filesize

      628KB

      Download

    • memory/3760-36-0x0000000000400000-0x000000000049D000-memory.dmp

      Filesize

      628KB

      Download

    • memory/3760-87-0x0000000000400000-0x000000000049D000-memory.dmp

      Filesize

      628KB

      Download

    • memory/4084-23-0x0000000000400000-0x000000000049D000-memory.dmp

      Filesize

      628KB

      Download

    • memory/4084-84-0x0000000000400000-0x000000000049D000-memory.dmp

      Filesize

      628KB

      Download

    • memory/4776-68-0x0000000000400000-0x000000000049D000-memory.dmp

      Filesize

      628KB

      Download

    • memory/4776-76-0x0000000000400000-0x000000000049D000-memory.dmp

      Filesize

      628KB

      Download

    • memory/4848-89-0x0000000000400000-0x000000000049D000-memory.dmp

      Filesize

      628KB

      Download

    • memory/4848-7-0x0000000000400000-0x000000000049D000-memory.dmp

      Filesize

      628KB

      Download

    • memory/5072-81-0x0000000000400000-0x000000000049D000-memory.dmp

      Filesize

      628KB

      Download

    • memory/5072-45-0x0000000000400000-0x000000000049D000-memory.dmp

      Filesize

      628KB

      Download