84eb50af2aec02876939b53d382f1f60df27bf2b8911d8618bb716040241f2ef

Analysis

max time kernel
119s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2023, 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.06d9ea17d367d079e64fad8d541f28f0.exe
Size

1.2MB
MD5

06d9ea17d367d079e64fad8d541f28f0
SHA1

3b721eeeff9aea1574bd5bf263076ea3825d7e88
SHA256

84eb50af2aec02876939b53d382f1f60df27bf2b8911d8618bb716040241f2ef
SHA512

912d156dca6d41d0deec494e762588e29086054f491909df02d483c10ff1b2846079d75e5bacfa14dd9b2b2336c318201d72679146d9e0f769c8c57ec4cb44fc
SSDEEP

24576:pWHYFXPh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsKv2EvZHp3oW2to:NFnbazR0vKLXZ8to

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bajqda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkibgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boihcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cglbhhga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.06d9ea17d367d079e64fad8d541f28f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhblllfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.06d9ea17d367d079e64fad8d541f28f0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaldccip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhblllfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbpgl32.exe

Malware Backdoor - Berbew 21 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/files/0x00090000000224ad-6.dat	family_berbew
behavioral2/files/0x00090000000224ad-8.dat	family_berbew
behavioral2/files/0x0006000000022e60-14.dat	family_berbew
behavioral2/files/0x0006000000022e60-16.dat	family_berbew
behavioral2/files/0x0006000000022e65-23.dat	family_berbew
behavioral2/files/0x0006000000022e65-22.dat	family_berbew
behavioral2/files/0x0007000000022e5d-30.dat	family_berbew
behavioral2/files/0x0007000000022e5d-32.dat	family_berbew
behavioral2/files/0x0006000000022e68-39.dat	family_berbew
behavioral2/files/0x0006000000022e68-38.dat	family_berbew
behavioral2/files/0x0006000000022e6a-46.dat	family_berbew
behavioral2/files/0x0006000000022e6a-48.dat	family_berbew
behavioral2/files/0x0006000000022e6d-56.dat	family_berbew
behavioral2/files/0x0006000000022e6d-54.dat	family_berbew
behavioral2/files/0x0006000000022e70-57.dat	family_berbew
behavioral2/files/0x0006000000022e70-63.dat	family_berbew
behavioral2/files/0x0006000000022e70-62.dat	family_berbew
behavioral2/files/0x0006000000022e72-72.dat	family_berbew
behavioral2/files/0x0006000000022e72-70.dat	family_berbew
behavioral2/files/0x0006000000022e74-78.dat	family_berbew
behavioral2/files/0x0006000000022e74-80.dat	family_berbew

Executes dropped EXE 10 IoCs

pid	Process
3776	Adfgdpmi.exe
1056	Aaldccip.exe
4144	Bkibgh32.exe
4520	Boihcf32.exe
4516	Bhblllfo.exe
3136	Bajqda32.exe
1000	Cglbhhga.exe
1144	Cdbpgl32.exe
2956	Dojqjdbl.exe
920	Dkqaoe32.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cglbhhga.exe	Bajqda32.exe
File created	C:\Windows\SysWOW64\Cdbpgl32.exe	Cglbhhga.exe
File opened for modification	C:\Windows\SysWOW64\Dojqjdbl.exe	Cdbpgl32.exe
File opened for modification	C:\Windows\SysWOW64\Boihcf32.exe	Bkibgh32.exe
File created	C:\Windows\SysWOW64\Cglbhhga.exe	Bajqda32.exe
File created	C:\Windows\SysWOW64\Ofkhal32.dll	Aaldccip.exe
File created	C:\Windows\SysWOW64\Boihcf32.exe	Bkibgh32.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dojqjdbl.exe
File created	C:\Windows\SysWOW64\Geqnma32.dll	NEAS.06d9ea17d367d079e64fad8d541f28f0.exe
File opened for modification	C:\Windows\SysWOW64\Bkibgh32.exe	Aaldccip.exe
File created	C:\Windows\SysWOW64\Bajqda32.exe	Bhblllfo.exe
File opened for modification	C:\Windows\SysWOW64\Bajqda32.exe	Bhblllfo.exe
File created	C:\Windows\SysWOW64\Bjlfmfbi.dll	Bajqda32.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dojqjdbl.exe
File created	C:\Windows\SysWOW64\Adfgdpmi.exe	NEAS.06d9ea17d367d079e64fad8d541f28f0.exe
File created	C:\Windows\SysWOW64\Dkbnla32.dll	Boihcf32.exe
File created	C:\Windows\SysWOW64\Dojqjdbl.exe	Cdbpgl32.exe
File created	C:\Windows\SysWOW64\Bkibgh32.exe	Aaldccip.exe
File created	C:\Windows\SysWOW64\Bhblllfo.exe	Boihcf32.exe
File opened for modification	C:\Windows\SysWOW64\Adfgdpmi.exe	NEAS.06d9ea17d367d079e64fad8d541f28f0.exe
File created	C:\Windows\SysWOW64\Eekgliip.dll	Cglbhhga.exe
File opened for modification	C:\Windows\SysWOW64\Aaldccip.exe	Adfgdpmi.exe
File created	C:\Windows\SysWOW64\Pkoaeldi.dll	Bkibgh32.exe
File opened for modification	C:\Windows\SysWOW64\Bhblllfo.exe	Boihcf32.exe
File created	C:\Windows\SysWOW64\Cklgfgfg.dll	Bhblllfo.exe
File opened for modification	C:\Windows\SysWOW64\Cdbpgl32.exe	Cglbhhga.exe
File created	C:\Windows\SysWOW64\Dllfqd32.dll	Cdbpgl32.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dojqjdbl.exe
File created	C:\Windows\SysWOW64\Aaldccip.exe	Adfgdpmi.exe
File created	C:\Windows\SysWOW64\Ichqihli.dll	Adfgdpmi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2568	920	WerFault.exe	98

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bajqda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbnla32.dll"	Boihcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boihcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkoaeldi.dll"	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhblllfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.06d9ea17d367d079e64fad8d541f28f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkhal32.dll"	Aaldccip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaldccip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.06d9ea17d367d079e64fad8d541f28f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.06d9ea17d367d079e64fad8d541f28f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichqihli.dll"	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklgfgfg.dll"	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllfqd32.dll"	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geqnma32.dll"	NEAS.06d9ea17d367d079e64fad8d541f28f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjlfmfbi.dll"	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.06d9ea17d367d079e64fad8d541f28f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.06d9ea17d367d079e64fad8d541f28f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekgliip.dll"	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdbpgl32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 3776	4388	NEAS.06d9ea17d367d079e64fad8d541f28f0.exe	86
PID 4388 wrote to memory of 3776	4388	NEAS.06d9ea17d367d079e64fad8d541f28f0.exe	86
PID 4388 wrote to memory of 3776	4388	NEAS.06d9ea17d367d079e64fad8d541f28f0.exe	86
PID 3776 wrote to memory of 1056	3776	Adfgdpmi.exe	88
PID 3776 wrote to memory of 1056	3776	Adfgdpmi.exe	88
PID 3776 wrote to memory of 1056	3776	Adfgdpmi.exe	88
PID 1056 wrote to memory of 4144	1056	Aaldccip.exe	89
PID 1056 wrote to memory of 4144	1056	Aaldccip.exe	89
PID 1056 wrote to memory of 4144	1056	Aaldccip.exe	89
PID 4144 wrote to memory of 4520	4144	Bkibgh32.exe	90
PID 4144 wrote to memory of 4520	4144	Bkibgh32.exe	90
PID 4144 wrote to memory of 4520	4144	Bkibgh32.exe	90
PID 4520 wrote to memory of 4516	4520	Boihcf32.exe	91
PID 4520 wrote to memory of 4516	4520	Boihcf32.exe	91
PID 4520 wrote to memory of 4516	4520	Boihcf32.exe	91
PID 4516 wrote to memory of 3136	4516	Bhblllfo.exe	93
PID 4516 wrote to memory of 3136	4516	Bhblllfo.exe	93
PID 4516 wrote to memory of 3136	4516	Bhblllfo.exe	93
PID 3136 wrote to memory of 1000	3136	Bajqda32.exe	94
PID 3136 wrote to memory of 1000	3136	Bajqda32.exe	94
PID 3136 wrote to memory of 1000	3136	Bajqda32.exe	94
PID 1000 wrote to memory of 1144	1000	Cglbhhga.exe	96
PID 1000 wrote to memory of 1144	1000	Cglbhhga.exe	96
PID 1000 wrote to memory of 1144	1000	Cglbhhga.exe	96
PID 1144 wrote to memory of 2956	1144	Cdbpgl32.exe	97
PID 1144 wrote to memory of 2956	1144	Cdbpgl32.exe	97
PID 1144 wrote to memory of 2956	1144	Cdbpgl32.exe	97
PID 2956 wrote to memory of 920	2956	Dojqjdbl.exe	98
PID 2956 wrote to memory of 920	2956	Dojqjdbl.exe	98
PID 2956 wrote to memory of 920	2956	Dojqjdbl.exe	98

C:\Users\Admin\AppData\Local\Temp\NEAS.06d9ea17d367d079e64fad8d541f28f0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.06d9ea17d367d079e64fad8d541f28f0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Windows\SysWOW64\Adfgdpmi.exe
  C:\Windows\system32\Adfgdpmi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3776
- - C:\Windows\SysWOW64\Aaldccip.exe
    C:\Windows\system32\Aaldccip.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1056
  - - C:\Windows\SysWOW64\Bkibgh32.exe
      C:\Windows\system32\Bkibgh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4144
    - - C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
      - C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        11⤵
        Executes dropped EXE
        
        PID:920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 400
        12⤵
        Program crash
        
        PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 920 -ip 920
1⤵
PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaldccip.exe

Filesize
1.2MB

MD5
f80d82d33ed5089228d4f8f798237ab7

SHA1
1e0bd1f06f46ebf792c59f2f798a56ed6811e363

SHA256
bf31800b623054768b251951133918588d32511a42af5e633ad0cde7c3c4e918

SHA512
e8b60250d0726fde163daa9384a8b5c427a973347fed7ccc3465bf132558be43e1adb76091c310d4757be66e175f4a394c1fa230159270b9916d42af02b63a8f

Download Submit
C:\Windows\SysWOW64\Aaldccip.exe

Filesize
1.2MB

MD5
f80d82d33ed5089228d4f8f798237ab7

SHA1
1e0bd1f06f46ebf792c59f2f798a56ed6811e363

SHA256
bf31800b623054768b251951133918588d32511a42af5e633ad0cde7c3c4e918

SHA512
e8b60250d0726fde163daa9384a8b5c427a973347fed7ccc3465bf132558be43e1adb76091c310d4757be66e175f4a394c1fa230159270b9916d42af02b63a8f

Download Submit
C:\Windows\SysWOW64\Adfgdpmi.exe

Filesize
1.2MB

MD5
009984d546c8d4d53871ca62a689e978

SHA1
83d321ae870120a4a7825b1d969517c690b1e245

SHA256
90f4d4b2cae1582bfb2afd06fafa791436e8f95cfb9159a6b9daccbfb9389a06

SHA512
2c491126aa395edd76a91a3b23b0578cef97eef14cdeaedfd886679b7d70f5a2a9b2ee620d13ca4825e64e6ebbc74ce0c68667a50d1d99942732ee0371de6412

Download Submit
C:\Windows\SysWOW64\Adfgdpmi.exe

Filesize
1.2MB

MD5
009984d546c8d4d53871ca62a689e978

SHA1
83d321ae870120a4a7825b1d969517c690b1e245

SHA256
90f4d4b2cae1582bfb2afd06fafa791436e8f95cfb9159a6b9daccbfb9389a06

SHA512
2c491126aa395edd76a91a3b23b0578cef97eef14cdeaedfd886679b7d70f5a2a9b2ee620d13ca4825e64e6ebbc74ce0c68667a50d1d99942732ee0371de6412

Download Submit
C:\Windows\SysWOW64\Bajqda32.exe

Filesize
1.2MB

MD5
0bf27e5a41ca175608b7f94cbdea8e0b

SHA1
d3a8b12a2767e9d583e419dbab2384c85c134c8d

SHA256
656d1311cf496969dc4e0e723fdb9ac05d868375c10d5f774b5dcc08a4796b4b

SHA512
233815917933d23be431f0bf9521f70f584df3bb8baabfbfbab770354731a00d199820a9296a0ab322d7cf551553584f219721d91c62b3a0ca420e09e5347202

Download Submit
C:\Windows\SysWOW64\Bajqda32.exe

Filesize
1.2MB

MD5
0bf27e5a41ca175608b7f94cbdea8e0b

SHA1
d3a8b12a2767e9d583e419dbab2384c85c134c8d

SHA256
656d1311cf496969dc4e0e723fdb9ac05d868375c10d5f774b5dcc08a4796b4b

SHA512
233815917933d23be431f0bf9521f70f584df3bb8baabfbfbab770354731a00d199820a9296a0ab322d7cf551553584f219721d91c62b3a0ca420e09e5347202

Download Submit
C:\Windows\SysWOW64\Bhblllfo.exe

Filesize
1.2MB

MD5
bca8a448b4fe0b3a1acf57eb95839ee3

SHA1
951de28da9b9c5883fd1417249da957fdba143dd

SHA256
9ec588ae25ad7180b84da7e9dbca14cf15bc57ae45fd4c7d548cf55ead3bf516

SHA512
102c40ca3e91251ab42e547bc94ac1c79ba8e3dddd233ccab45e466ebb9785101fde9f64af623e4e13aa66a6bec45374d05b76d1557be7c4285b01f123c87edd

Download Submit
C:\Windows\SysWOW64\Bhblllfo.exe

Filesize
1.2MB

MD5
bca8a448b4fe0b3a1acf57eb95839ee3

SHA1
951de28da9b9c5883fd1417249da957fdba143dd

SHA256
9ec588ae25ad7180b84da7e9dbca14cf15bc57ae45fd4c7d548cf55ead3bf516

SHA512
102c40ca3e91251ab42e547bc94ac1c79ba8e3dddd233ccab45e466ebb9785101fde9f64af623e4e13aa66a6bec45374d05b76d1557be7c4285b01f123c87edd

Download Submit
C:\Windows\SysWOW64\Bkibgh32.exe

Filesize
1.2MB

MD5
0a0e7f2bf2bbdd74601ef128b0389866

SHA1
d2211ebddc4d584a9029883baba7153417734d14

SHA256
39e7ae7f728bdab096e15687f8a7d90286a19653df5d9a8c7c21511384732ac0

SHA512
aa06d9f32b6411223ac786fa775a35e0433540fb39ad318d4099be82ccaa10c5566d12681c9a5eeed04c5ea7c87213413c7455122fa46b68bef12a5ddcb79a7b

Download Submit
C:\Windows\SysWOW64\Bkibgh32.exe

Filesize
1.2MB

MD5
0a0e7f2bf2bbdd74601ef128b0389866

SHA1
d2211ebddc4d584a9029883baba7153417734d14

SHA256
39e7ae7f728bdab096e15687f8a7d90286a19653df5d9a8c7c21511384732ac0

SHA512
aa06d9f32b6411223ac786fa775a35e0433540fb39ad318d4099be82ccaa10c5566d12681c9a5eeed04c5ea7c87213413c7455122fa46b68bef12a5ddcb79a7b

Download Submit
C:\Windows\SysWOW64\Boihcf32.exe

Filesize
1.2MB

MD5
b1ec3ff7c88477767529e6ca57cb6f62

SHA1
c2c8e1aa480c51a456db76cddde6d1727d9bca60

SHA256
a4c3ef86211f46d4333c6531a2af6691a5b814e98c61ab581a0efe3a5b1fdf09

SHA512
bd24532c7d59d60769d4c2f090a0bf8934cbb53735b9438e11ba9bd88a5bc31b1419fcb3d4e28ca9263e0461ae95fff52c1a0c27f897e5a1495bac66823608f5

Download Submit
C:\Windows\SysWOW64\Boihcf32.exe

Filesize
1.2MB

MD5
b1ec3ff7c88477767529e6ca57cb6f62

SHA1
c2c8e1aa480c51a456db76cddde6d1727d9bca60

SHA256
a4c3ef86211f46d4333c6531a2af6691a5b814e98c61ab581a0efe3a5b1fdf09

SHA512
bd24532c7d59d60769d4c2f090a0bf8934cbb53735b9438e11ba9bd88a5bc31b1419fcb3d4e28ca9263e0461ae95fff52c1a0c27f897e5a1495bac66823608f5

Download Submit
C:\Windows\SysWOW64\Cdbpgl32.exe

Filesize
1.2MB

MD5
20c8f5bb7debe9ee1951092013ddc705

SHA1
d1ebb76082285fde90e7f708ba96238d8033b5dc

SHA256
6df553cd9ec7fa8fd8cf7c82545a2a55d8ca6b5a1840c6343ac2973114a37b49

SHA512
a036a92059bfcebacbe45df322f2d380f4a4bf685f566bc0353065dc597c3f83b19423e842ad43adb400133dfb6f01ec082c88b3b47aad5923801c2d7a71680d

Download Submit
C:\Windows\SysWOW64\Cdbpgl32.exe

Filesize
1.2MB

MD5
e3120d6c04762ec89e0cc60f5d6667a9

SHA1
c6fcf61c721d8a9ec7a09e72424b4b8a5da61b33

SHA256
8395ddffb3ed2a7064c7892c1a761aebf22a6da8ddcf1a8c4fa6a133fe34a52e

SHA512
8c2f45a98d22d2413c7623b8f350ade295a9f850b69174046d95787f9fbc3b9c5bd6753a87fe64bfb2a2b34074a91ff229ffae981f0818c7c669b095ba263c54

Download Submit
C:\Windows\SysWOW64\Cdbpgl32.exe

Filesize
1.2MB

MD5
e3120d6c04762ec89e0cc60f5d6667a9

SHA1
c6fcf61c721d8a9ec7a09e72424b4b8a5da61b33

SHA256
8395ddffb3ed2a7064c7892c1a761aebf22a6da8ddcf1a8c4fa6a133fe34a52e

SHA512
8c2f45a98d22d2413c7623b8f350ade295a9f850b69174046d95787f9fbc3b9c5bd6753a87fe64bfb2a2b34074a91ff229ffae981f0818c7c669b095ba263c54

Download Submit
C:\Windows\SysWOW64\Cglbhhga.exe

Filesize
1.2MB

MD5
20c8f5bb7debe9ee1951092013ddc705

SHA1
d1ebb76082285fde90e7f708ba96238d8033b5dc

SHA256
6df553cd9ec7fa8fd8cf7c82545a2a55d8ca6b5a1840c6343ac2973114a37b49

SHA512
a036a92059bfcebacbe45df322f2d380f4a4bf685f566bc0353065dc597c3f83b19423e842ad43adb400133dfb6f01ec082c88b3b47aad5923801c2d7a71680d

Download Submit
C:\Windows\SysWOW64\Cglbhhga.exe

Filesize
1.2MB

MD5
20c8f5bb7debe9ee1951092013ddc705

SHA1
d1ebb76082285fde90e7f708ba96238d8033b5dc

SHA256
6df553cd9ec7fa8fd8cf7c82545a2a55d8ca6b5a1840c6343ac2973114a37b49

SHA512
a036a92059bfcebacbe45df322f2d380f4a4bf685f566bc0353065dc597c3f83b19423e842ad43adb400133dfb6f01ec082c88b3b47aad5923801c2d7a71680d

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
1.2MB

MD5
a96ad39fc70d7c660c90599eb8570da3

SHA1
af45d8c116b7cac5221a4d5f2669b454665f1c74

SHA256
52b02aa23e3632bd0ab4a9b09cf1ab62fbba2bb5ad83b8f8783428df0dae7a2c

SHA512
f76860b085998b0ddcb5ee6973fc79f39567937242784033e052bfd66ef608294778b98883cbe669bfd62c6c04eb51874b0338377dc5cc5ce14ff6d627eb9f87

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
1.2MB

MD5
a96ad39fc70d7c660c90599eb8570da3

SHA1
af45d8c116b7cac5221a4d5f2669b454665f1c74

SHA256
52b02aa23e3632bd0ab4a9b09cf1ab62fbba2bb5ad83b8f8783428df0dae7a2c

SHA512
f76860b085998b0ddcb5ee6973fc79f39567937242784033e052bfd66ef608294778b98883cbe669bfd62c6c04eb51874b0338377dc5cc5ce14ff6d627eb9f87

Download Submit
C:\Windows\SysWOW64\Dojqjdbl.exe

Filesize
1.2MB

MD5
1a59cf2d81c54c4ce9994035a17842d0

SHA1
e3ef09203ef3fa77e05c476447abe22923d7adb9

SHA256
1bfb606edaa9e57711caff395c2a3c69fa2b1b08d2b6cf295aefc1d1666860a5

SHA512
9338b27d5d62f2c8de98efdde09e30b12853dee972b32b41a3911f0cd24d232399ee527330d5cf46d6b486b5686d259e761179243f74a76c1d56104653c9d7c9

Download Submit
C:\Windows\SysWOW64\Dojqjdbl.exe

Filesize
1.2MB

MD5
1a59cf2d81c54c4ce9994035a17842d0

SHA1
e3ef09203ef3fa77e05c476447abe22923d7adb9

SHA256
1bfb606edaa9e57711caff395c2a3c69fa2b1b08d2b6cf295aefc1d1666860a5

SHA512
9338b27d5d62f2c8de98efdde09e30b12853dee972b32b41a3911f0cd24d232399ee527330d5cf46d6b486b5686d259e761179243f74a76c1d56104653c9d7c9

Download Submit
memory/920-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1000-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1000-86-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1056-83-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1056-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1144-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1144-85-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2956-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2956-84-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3136-47-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3136-87-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3776-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3776-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4144-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4144-88-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4388-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4388-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4516-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4516-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4520-31-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4520-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads