b5224b1fe857cf50983be8cb1ffbb28b2f3b47680cd749b846f68cc127a4a0fb

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-05-2024 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb18c21325106d253021f274e3aa53c0_NEIKI.exe
Size

1.2MB
MD5

bb18c21325106d253021f274e3aa53c0
SHA1

61e7244c7f87957fde6b8e019a39425bc528888f
SHA256

b5224b1fe857cf50983be8cb1ffbb28b2f3b47680cd749b846f68cc127a4a0fb
SHA512

9639adfa83d1153eeb5c1bf306f03cc8b114c030953a090f1bf8c43a661ed86a1129c4975b35218a6a95817cedd99b2f222166f2afb38781a46b5686a526b7ea
SSDEEP

24576:uwYcm0BmmvFimm0MTP7hm0BmmvFimm0SGT8P402fo06YE1+91vK3xDWGk4A:uUiLiZGT8P4Zfo06h1+91vOaGBA

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bb18c21325106d253021f274e3aa53c0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hellne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	bb18c21325106d253021f274e3aa53c0_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glaoalkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobcak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcplhi32.exe

Malware Dropper & Backdoor - Berbew 10 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral1/files/0x00080000000122cd-14.dat	family_berbew
behavioral1/files/0x0007000000015ce1-34.dat	family_berbew
behavioral1/files/0x0007000000015d07-55.dat	family_berbew
behavioral1/files/0x00060000000164b2-78.dat	family_berbew
behavioral1/files/0x003400000001567f-95.dat	family_berbew
behavioral1/files/0x0006000000016843-104.dat	family_berbew
behavioral1/files/0x0006000000016c4a-126.dat	family_berbew
behavioral1/files/0x0006000000016c6b-139.dat	family_berbew
behavioral1/files/0x00060000000161e7-70.dat	family_berbew
behavioral1/files/0x0008000000015ca6-28.dat	family_berbew

Executes dropped EXE 10 IoCs

pid	Process
2096	Gonnhhln.exe
2616	Gegfdb32.exe
3068	Glaoalkh.exe
2564	Gldkfl32.exe
2408	Hlcgeo32.exe
1956	Hobcak32.exe
2756	Hellne32.exe
2976	Hcplhi32.exe
1852	Hogmmjfo.exe
808	Iagfoe32.exe

Loads dropped DLL 24 IoCs

pid	Process
996	bb18c21325106d253021f274e3aa53c0_NEIKI.exe
996	bb18c21325106d253021f274e3aa53c0_NEIKI.exe
2096	Gonnhhln.exe
2096	Gonnhhln.exe
2616	Gegfdb32.exe
2616	Gegfdb32.exe
3068	Glaoalkh.exe
3068	Glaoalkh.exe
2564	Gldkfl32.exe
2564	Gldkfl32.exe
2408	Hlcgeo32.exe
2408	Hlcgeo32.exe
1956	Hobcak32.exe
1956	Hobcak32.exe
2756	Hellne32.exe
2756	Hellne32.exe
2976	Hcplhi32.exe
2976	Hcplhi32.exe
1852	Hogmmjfo.exe
1852	Hogmmjfo.exe
2664	WerFault.exe
2664	WerFault.exe
2664	WerFault.exe
2664	WerFault.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hogmmjfo.exe	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Glaoalkh.exe	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Gldkfl32.exe	Glaoalkh.exe
File opened for modification	C:\Windows\SysWOW64\Hellne32.exe	Hobcak32.exe
File created	C:\Windows\SysWOW64\Hcplhi32.exe	Hellne32.exe
File opened for modification	C:\Windows\SysWOW64\Gonnhhln.exe	bb18c21325106d253021f274e3aa53c0_NEIKI.exe
File created	C:\Windows\SysWOW64\Ocjcidbb.dll	Gonnhhln.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Ojhcelga.dll	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Glaoalkh.exe	Gegfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Gldkfl32.exe	Glaoalkh.exe
File opened for modification	C:\Windows\SysWOW64\Hobcak32.exe	Hlcgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Hogmmjfo.exe	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Addnil32.dll	Gegfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Hlcgeo32.exe	Gldkfl32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Pnnclg32.dll	Glaoalkh.exe
File created	C:\Windows\SysWOW64\Hlcgeo32.exe	Gldkfl32.exe
File created	C:\Windows\SysWOW64\Hobcak32.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Nokeef32.dll	Hlcgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Hcplhi32.exe	Hellne32.exe
File created	C:\Windows\SysWOW64\Gonnhhln.exe	bb18c21325106d253021f274e3aa53c0_NEIKI.exe
File created	C:\Windows\SysWOW64\Oecbjjic.dll	bb18c21325106d253021f274e3aa53c0_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Gegfdb32.exe	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Kjnifgah.dll	Gldkfl32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Gegfdb32.exe	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Hellne32.exe	Hobcak32.exe
File created	C:\Windows\SysWOW64\Pljpdpao.dll	Hobcak32.exe
File created	C:\Windows\SysWOW64\Lponfjoo.dll	Hellne32.exe

Program crash 1 IoCs

pid	pid_target	Process
2664	808	WerFault.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	bb18c21325106d253021f274e3aa53c0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll"	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll"	bb18c21325106d253021f274e3aa53c0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnclg32.dll"	Glaoalkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addnil32.dll"	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Glaoalkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljpdpao.dll"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	bb18c21325106d253021f274e3aa53c0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	bb18c21325106d253021f274e3aa53c0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjcidbb.dll"	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	bb18c21325106d253021f274e3aa53c0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	bb18c21325106d253021f274e3aa53c0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll"	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hogmmjfo.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 2096	996	bb18c21325106d253021f274e3aa53c0_NEIKI.exe	28
PID 996 wrote to memory of 2096	996	bb18c21325106d253021f274e3aa53c0_NEIKI.exe	28
PID 996 wrote to memory of 2096	996	bb18c21325106d253021f274e3aa53c0_NEIKI.exe	28
PID 996 wrote to memory of 2096	996	bb18c21325106d253021f274e3aa53c0_NEIKI.exe	28
PID 2096 wrote to memory of 2616	2096	Gonnhhln.exe	29
PID 2096 wrote to memory of 2616	2096	Gonnhhln.exe	29
PID 2096 wrote to memory of 2616	2096	Gonnhhln.exe	29
PID 2096 wrote to memory of 2616	2096	Gonnhhln.exe	29
PID 2616 wrote to memory of 3068	2616	Gegfdb32.exe	30
PID 2616 wrote to memory of 3068	2616	Gegfdb32.exe	30
PID 2616 wrote to memory of 3068	2616	Gegfdb32.exe	30
PID 2616 wrote to memory of 3068	2616	Gegfdb32.exe	30
PID 3068 wrote to memory of 2564	3068	Glaoalkh.exe	31
PID 3068 wrote to memory of 2564	3068	Glaoalkh.exe	31
PID 3068 wrote to memory of 2564	3068	Glaoalkh.exe	31
PID 3068 wrote to memory of 2564	3068	Glaoalkh.exe	31
PID 2564 wrote to memory of 2408	2564	Gldkfl32.exe	32
PID 2564 wrote to memory of 2408	2564	Gldkfl32.exe	32
PID 2564 wrote to memory of 2408	2564	Gldkfl32.exe	32
PID 2564 wrote to memory of 2408	2564	Gldkfl32.exe	32
PID 2408 wrote to memory of 1956	2408	Hlcgeo32.exe	33
PID 2408 wrote to memory of 1956	2408	Hlcgeo32.exe	33
PID 2408 wrote to memory of 1956	2408	Hlcgeo32.exe	33
PID 2408 wrote to memory of 1956	2408	Hlcgeo32.exe	33
PID 1956 wrote to memory of 2756	1956	Hobcak32.exe	34
PID 1956 wrote to memory of 2756	1956	Hobcak32.exe	34
PID 1956 wrote to memory of 2756	1956	Hobcak32.exe	34
PID 1956 wrote to memory of 2756	1956	Hobcak32.exe	34
PID 2756 wrote to memory of 2976	2756	Hellne32.exe	35
PID 2756 wrote to memory of 2976	2756	Hellne32.exe	35
PID 2756 wrote to memory of 2976	2756	Hellne32.exe	35
PID 2756 wrote to memory of 2976	2756	Hellne32.exe	35
PID 2976 wrote to memory of 1852	2976	Hcplhi32.exe	36
PID 2976 wrote to memory of 1852	2976	Hcplhi32.exe	36
PID 2976 wrote to memory of 1852	2976	Hcplhi32.exe	36
PID 2976 wrote to memory of 1852	2976	Hcplhi32.exe	36
PID 1852 wrote to memory of 808	1852	Hogmmjfo.exe	37
PID 1852 wrote to memory of 808	1852	Hogmmjfo.exe	37
PID 1852 wrote to memory of 808	1852	Hogmmjfo.exe	37
PID 1852 wrote to memory of 808	1852	Hogmmjfo.exe	37
PID 808 wrote to memory of 2664	808	Iagfoe32.exe	38
PID 808 wrote to memory of 2664	808	Iagfoe32.exe	38
PID 808 wrote to memory of 2664	808	Iagfoe32.exe	38
PID 808 wrote to memory of 2664	808	Iagfoe32.exe	38

C:\Users\Admin\AppData\Local\Temp\bb18c21325106d253021f274e3aa53c0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\bb18c21325106d253021f274e3aa53c0_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:996
- C:\Windows\SysWOW64\Gonnhhln.exe
  C:\Windows\system32\Gonnhhln.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\SysWOW64\Gegfdb32.exe
    C:\Windows\system32\Gegfdb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\Glaoalkh.exe
      C:\Windows\system32\Glaoalkh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Windows\SysWOW64\Gldkfl32.exe
        
        C:\Windows\system32\Gldkfl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
      - C:\Windows\SysWOW64\Hlcgeo32.exe
        
        C:\Windows\system32\Hlcgeo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Hobcak32.exe
        
        C:\Windows\system32\Hobcak32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Hellne32.exe
        
        C:\Windows\system32\Hellne32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Hcplhi32.exe
        
        C:\Windows\system32\Hcplhi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Hogmmjfo.exe
        
        C:\Windows\system32\Hogmmjfo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 140
        12⤵
        Loads dropped DLL
        Program crash
        
        PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gegfdb32.exe

Filesize
1.2MB

MD5
c3c07e07b6252ed6b1198ee94bde448e

SHA1
77f25ab3181b94ad2db69ab4a3f26a1d927ddc94

SHA256
72e20ba3741abf59906d70924f2c9898754b87d4f1c72fd4be8daa09d3c7048a

SHA512
41a992ff18a930a4ca9a56aeaadce9ce934d3883be24b96d41f133a43af8ecf535962c9046524ad6cdc2d53f4072d0bb2a821baf080fbeb8f78a2ee75221aebb

Download Submit
C:\Windows\SysWOW64\Gldkfl32.exe

Filesize
1.2MB

MD5
4ba8920d80392182d6a1185f3187fd7b

SHA1
25c1e1dab950e46c494a64f1e5adae5c1219f3d2

SHA256
abfd47a906958e4fed5d5a47a46671c2302250750a9809a5a2c8c88bf4f18da7

SHA512
45eccece4150fe7d04c04cf85b9b8f1e75ee86d86f2a4aadbce071eb3da9b6c604eec5aed550c81ef9af4d544ae54151ea943fe886d0da437abb67b057d53b6d

Download Submit
C:\Windows\SysWOW64\Gonnhhln.exe

Filesize
1.2MB

MD5
bda031c3bb762d50341b214c31b979e6

SHA1
ae71152548d292747beadedcccfc80e0230c6ff1

SHA256
3af0f7defc189034aaaaa46f1d2a648353201e790ff23b747ab2edcf0ff10466

SHA512
c5b1a4a3ef53b0aff281a7871ed2419368c5a596deddae7ae513af2a94e9110caae8f98c814e813fd372ff5ddfb0f94081b5b0f9ae60e1e9466d48d057138ab9

Download Submit
C:\Windows\SysWOW64\Hellne32.exe

Filesize
1.2MB

MD5
a9ce9f35c6b165f8612dfe2a2a385cb4

SHA1
038b04a5ba8a4a79f04bf8d0981cda5bc31f540b

SHA256
a424b8a34ab48cb07353a5526d946370e615d404987ba9179d2b146395d731ae

SHA512
f849a959bb24882e8a6cea32d89657c6dea591a93dda20dca21994d5804dc4edcc766c8b9ac4f0b926b997400558a201559de411819e0957f37ac582ba4b0750

Download Submit
C:\Windows\SysWOW64\Hlcgeo32.exe

Filesize
1.2MB

MD5
27e5e7ce65b66472075a3ce1b3a29857

SHA1
251e1961ebaaa2877026287e2435592bc5ce6fb6

SHA256
8c7e376b996b82625f199c18d5aa8385e69f5e940eb22d2e3fa7a199b8c23bcc

SHA512
b0aa3d96491d62dbeb6dde4a5d290648d1bf1f87c0461de541666eae232e6cb8a137f608bc45670992edb67c42203c7197d3f4f2f457638d5a99ad6e7b939086

Download Submit
C:\Windows\SysWOW64\Hogmmjfo.exe

Filesize
1.2MB

MD5
6109a7c8db5f5eb5494a805d928c4b32

SHA1
35a6ab303217442947dd0e1474e77a31fd6e8fb4

SHA256
49dca74c7aaad40d3066d059a1d78cf555b1131a38d0e33d14c8ea792aa7607a

SHA512
34eda85d5e4e59b78c64758fb52b52ffe352447cb6f499e20cd1396a2636cc3bdfab839ae9a87e84ec99155abd30b6e842cdde30956e1ae452bd6f3cc2b948e5

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
1.2MB

MD5
c8681f4c2403231de89785fc951fa3ec

SHA1
6aed048870ace19ea8f3f3e933028f3260bd88d1

SHA256
b8be6dfbebf2191f21cdd103280ebda0efdaf0e350c1767fea427ebe79272772

SHA512
b81a6385b614875172bb34dc1e46e2bf5674e2e37e7d2828e23a614b69dac9031dfee6c0fb84516dbcc710130172e1795e26c3aa5b24a63f32592eafd9f011b5

Download Submit
C:\Windows\SysWOW64\Kjnifgah.dll

Filesize
7KB

MD5
1d196c81e5c68afc4c965c68a03d9ba8

SHA1
c0964be03b8667fd8947d711ad942ef25ef10f16

SHA256
2e74562c86320aaf301e0d22d34fef3cc4822e03c33f3d676dd42c69cdd0b332

SHA512
fd9d12ced3c51d8831aaab10484072360abd37a44ff1ce3f80535e4b331d193650f953f38bcf4febdd91399c61398fc2123b000d6afadd5f517d31319913c78a

Download Submit
\Windows\SysWOW64\Glaoalkh.exe

Filesize
1.2MB

MD5
ed5f6405b5f832342bb2d1a62a8e1e86

SHA1
676790d71a427a2900ed362f7562b20b7e58e4ba

SHA256
b94f99f5da6ce293c5db4b5fa0c6ded1e3a8cd39befdb77cdae916ffc3e0bff6

SHA512
531a31c92210706c0edc9e3a1c2d2353322e1981e920f37fb0712a9c15d2e4dedccd832bf9f76867472e782332cf0587e411b155db53e7a1efc95e4a865b2fda

Download Submit
\Windows\SysWOW64\Hcplhi32.exe

Filesize
1.2MB

MD5
a9c3f6a42fa541317cce71dcdd979a65

SHA1
b1e3fbaab86ca121df5254e9b584d51bd740c6e3

SHA256
246fd09f899d09473437d7ad1e0080ee69d7c052192ec29cbf2946ca762ab68b

SHA512
e22066e4570ee521a259e9a6fc4c5d29a6bb550f46965dad4fb46b2af6281ca6a83f5f2e20cc955130f8e17f0b92c380245ca6637d4b20e8f0dd5d886aee76de

Download Submit
\Windows\SysWOW64\Hobcak32.exe

Filesize
1.2MB

MD5
bc5b034b1404984055addd586aefc87b

SHA1
72ea6a685b4afac891295eca76b59829cb00ceab

SHA256
d95989e146f770b62152dd7e5669e2ce6f12cf9fcf089b55699588f321303a7f

SHA512
59b2577914082764864b485b97eca072705d8918355a255b45d39c1f39819c5862ee748dbe2e2ae8699966baea0f9733c196319a3ea4fba4e17f0e6038c0d042

Download Submit
memory/808-140-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/996-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/996-13-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/996-6-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/996-145-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1852-128-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1852-153-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1956-96-0x0000000000330000-0x0000000000366000-memory.dmp

Filesize
216KB

Download
memory/1956-97-0x0000000000330000-0x0000000000366000-memory.dmp

Filesize
216KB

Download
memory/1956-150-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1956-85-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2096-26-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2096-24-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2096-146-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2408-149-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2408-76-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2408-69-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2564-148-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-35-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2756-98-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2756-115-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2756-151-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2756-116-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2976-121-0x0000000000310000-0x0000000000346000-memory.dmp

Filesize
216KB

Download
memory/2976-152-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2976-117-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3068-43-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3068-147-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3068-56-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/3068-49-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads