c1a57c0f47aa9a9d7f6f76d653c4bd0828debce1f8ac51cbcaafd4d12258c833

Analysis

max time kernel
141s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30b8d74f788f0aab82fc21af85c8a670_NeikiAnalytics.exe
Size

199KB
MD5

30b8d74f788f0aab82fc21af85c8a670
SHA1

027ed1e05c07f3855e730a2d68affce0a2ddbfd3
SHA256

c1a57c0f47aa9a9d7f6f76d653c4bd0828debce1f8ac51cbcaafd4d12258c833
SHA512

caac60f159627aa2fe3d53a50c11b77536bb45ec2dcb48da382a174a867269963a64fe553050631e0a0907d9af552e433372a8fc8077823bb0bd933289df297b
SSDEEP

6144:xpkcgw3y7SZSCZj81+jq4peBK034YOmFz1h:Acj3/ZSCG1+jheBbOmFxh

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Palklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aagkhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apmhiq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apaadpng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	30b8d74f788f0aab82fc21af85c8a670_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afpjel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apaadpng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfkdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	30b8d74f788f0aab82fc21af85c8a670_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bklomh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chfegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfkdb32.exe

Malware Dropper & Backdoor - Berbew 11 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000e000000023232-7.dat	family_berbew
behavioral2/files/0x0008000000023260-17.dat	family_berbew
behavioral2/files/0x0007000000023263-25.dat	family_berbew
behavioral2/files/0x0007000000023265-33.dat	family_berbew
behavioral2/files/0x0007000000023267-41.dat	family_berbew
behavioral2/files/0x0007000000023269-47.dat	family_berbew
behavioral2/files/0x000700000002326b-56.dat	family_berbew
behavioral2/files/0x000700000002326d-58.dat	family_berbew
behavioral2/files/0x000700000002326f-73.dat	family_berbew
behavioral2/files/0x0007000000023273-83.dat	family_berbew
behavioral2/files/0x0007000000023273-88.dat	family_berbew

Executes dropped EXE 11 IoCs

pid	Process
2268	Palklf32.exe
4656	Afpjel32.exe
1560	Aagkhd32.exe
2464	Apmhiq32.exe
2216	Apaadpng.exe
2800	Bklomh32.exe
1528	Bnlhncgi.exe
4880	Chfegk32.exe
4152	Cnfkdb32.exe
4896	Cogddd32.exe
1304	Dkqaoe32.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ehojko32.dll	Bklomh32.exe
File opened for modification	C:\Windows\SysWOW64\Cogddd32.exe	Cnfkdb32.exe
File created	C:\Windows\SysWOW64\Aagkhd32.exe	Afpjel32.exe
File opened for modification	C:\Windows\SysWOW64\Aagkhd32.exe	Afpjel32.exe
File created	C:\Windows\SysWOW64\Bklomh32.exe	Apaadpng.exe
File opened for modification	C:\Windows\SysWOW64\Bnlhncgi.exe	Bklomh32.exe
File opened for modification	C:\Windows\SysWOW64\Palklf32.exe	30b8d74f788f0aab82fc21af85c8a670_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Chfegk32.exe	Bnlhncgi.exe
File created	C:\Windows\SysWOW64\Cogddd32.exe	Cnfkdb32.exe
File created	C:\Windows\SysWOW64\Palklf32.exe	30b8d74f788f0aab82fc21af85c8a670_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Pmpockdl.dll	Afpjel32.exe
File opened for modification	C:\Windows\SysWOW64\Bklomh32.exe	Apaadpng.exe
File created	C:\Windows\SysWOW64\Hnflfgji.dll	Bnlhncgi.exe
File created	C:\Windows\SysWOW64\Apaadpng.exe	Apmhiq32.exe
File opened for modification	C:\Windows\SysWOW64\Apaadpng.exe	Apmhiq32.exe
File opened for modification	C:\Windows\SysWOW64\Cnfkdb32.exe	Chfegk32.exe
File opened for modification	C:\Windows\SysWOW64\Apmhiq32.exe	Aagkhd32.exe
File created	C:\Windows\SysWOW64\Bljlpjaf.dll	Apaadpng.exe
File opened for modification	C:\Windows\SysWOW64\Chfegk32.exe	Bnlhncgi.exe
File created	C:\Windows\SysWOW64\Cnfkdb32.exe	Chfegk32.exe
File created	C:\Windows\SysWOW64\Qkicbhla.dll	Chfegk32.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Cogddd32.exe
File created	C:\Windows\SysWOW64\Igafkb32.dll	30b8d74f788f0aab82fc21af85c8a670_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Afpjel32.exe	Palklf32.exe
File opened for modification	C:\Windows\SysWOW64\Afpjel32.exe	Palklf32.exe
File created	C:\Windows\SysWOW64\Apmhiq32.exe	Aagkhd32.exe
File created	C:\Windows\SysWOW64\Oblknjim.dll	Cnfkdb32.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Cogddd32.exe
File created	C:\Windows\SysWOW64\Egilaj32.dll	Palklf32.exe
File created	C:\Windows\SysWOW64\Dgeaknci.dll	Aagkhd32.exe
File created	C:\Windows\SysWOW64\Iocedcbl.dll	Apmhiq32.exe
File created	C:\Windows\SysWOW64\Bnlhncgi.exe	Bklomh32.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Cogddd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1612	1304	WerFault.exe	100

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeaknci.dll"	Aagkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfkdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	30b8d74f788f0aab82fc21af85c8a670_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afpjel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfkdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehojko32.dll"	Bklomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocedcbl.dll"	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bklomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Cogddd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Palklf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpockdl.dll"	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chfegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	30b8d74f788f0aab82fc21af85c8a670_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	30b8d74f788f0aab82fc21af85c8a670_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oblknjim.dll"	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igafkb32.dll"	30b8d74f788f0aab82fc21af85c8a670_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnflfgji.dll"	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egilaj32.dll"	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apmhiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	30b8d74f788f0aab82fc21af85c8a670_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljlpjaf.dll"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkicbhla.dll"	Chfegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	30b8d74f788f0aab82fc21af85c8a670_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apaadpng.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2268	2332	30b8d74f788f0aab82fc21af85c8a670_NeikiAnalytics.exe	90
PID 2332 wrote to memory of 2268	2332	30b8d74f788f0aab82fc21af85c8a670_NeikiAnalytics.exe	90
PID 2332 wrote to memory of 2268	2332	30b8d74f788f0aab82fc21af85c8a670_NeikiAnalytics.exe	90
PID 2268 wrote to memory of 4656	2268	Palklf32.exe	91
PID 2268 wrote to memory of 4656	2268	Palklf32.exe	91
PID 2268 wrote to memory of 4656	2268	Palklf32.exe	91
PID 4656 wrote to memory of 1560	4656	Afpjel32.exe	92
PID 4656 wrote to memory of 1560	4656	Afpjel32.exe	92
PID 4656 wrote to memory of 1560	4656	Afpjel32.exe	92
PID 1560 wrote to memory of 2464	1560	Aagkhd32.exe	93
PID 1560 wrote to memory of 2464	1560	Aagkhd32.exe	93
PID 1560 wrote to memory of 2464	1560	Aagkhd32.exe	93
PID 2464 wrote to memory of 2216	2464	Apmhiq32.exe	94
PID 2464 wrote to memory of 2216	2464	Apmhiq32.exe	94
PID 2464 wrote to memory of 2216	2464	Apmhiq32.exe	94
PID 2216 wrote to memory of 2800	2216	Apaadpng.exe	95
PID 2216 wrote to memory of 2800	2216	Apaadpng.exe	95
PID 2216 wrote to memory of 2800	2216	Apaadpng.exe	95
PID 2800 wrote to memory of 1528	2800	Bklomh32.exe	96
PID 2800 wrote to memory of 1528	2800	Bklomh32.exe	96
PID 2800 wrote to memory of 1528	2800	Bklomh32.exe	96
PID 1528 wrote to memory of 4880	1528	Bnlhncgi.exe	97
PID 1528 wrote to memory of 4880	1528	Bnlhncgi.exe	97
PID 1528 wrote to memory of 4880	1528	Bnlhncgi.exe	97
PID 4880 wrote to memory of 4152	4880	Chfegk32.exe	98
PID 4880 wrote to memory of 4152	4880	Chfegk32.exe	98
PID 4880 wrote to memory of 4152	4880	Chfegk32.exe	98
PID 4152 wrote to memory of 4896	4152	Cnfkdb32.exe	99
PID 4152 wrote to memory of 4896	4152	Cnfkdb32.exe	99
PID 4152 wrote to memory of 4896	4152	Cnfkdb32.exe	99
PID 4896 wrote to memory of 1304	4896	Cogddd32.exe	100
PID 4896 wrote to memory of 1304	4896	Cogddd32.exe	100
PID 4896 wrote to memory of 1304	4896	Cogddd32.exe	100

C:\Users\Admin\AppData\Local\Temp\30b8d74f788f0aab82fc21af85c8a670_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\30b8d74f788f0aab82fc21af85c8a670_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SysWOW64\Palklf32.exe
  C:\Windows\system32\Palklf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\Afpjel32.exe
    C:\Windows\system32\Afpjel32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Windows\SysWOW64\Aagkhd32.exe
      C:\Windows\system32\Aagkhd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1560
    - - C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
      - C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        12⤵
        Executes dropped EXE
        
        PID:1304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 408
        13⤵
        Program crash
        
        PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1304 -ip 1304
1⤵
PID:2156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4832 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:3324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aagkhd32.exe

Filesize
199KB

MD5
be35de0452cc0428e3d061a6b0512f50

SHA1
8364ea98c2bd9b28f74c43e778ae92743604947b

SHA256
a0c5bae2e0d6284eb5f736fe5615ab47f8081bbeabaef7eafd4022515f4d8307

SHA512
9ddc10f0ec1f36139e2b550f997c79fa5740978c5f43bfe04fa9020004c41c08eb3fd148d77f0d176430c292a15c3fbf2af95c8f65530676739073b32095956d

Download Submit
C:\Windows\SysWOW64\Afpjel32.exe

Filesize
199KB

MD5
ac6ad351d232fdb4f895b2574e411306

SHA1
5ad86af4297c7e288158f601d8d032a5acb66886

SHA256
a13d625b8510b7cba2bd0b1fd87e0d0677aa02f4abe6d894ac1c20a7df0efd32

SHA512
3fef9bb47a309f04ca5190e6d0e9f8f24ca11e25b8b782d6527b26d663c05e56ac05daae8bc36ef0f1cff6a5adc28c89c05a1ba1f96ad4cbb684ac6314ad23be

Download Submit
C:\Windows\SysWOW64\Apaadpng.exe

Filesize
199KB

MD5
a89b8b5907a0fc858d79db4659d9ac58

SHA1
1221de9b1cfe13ed1b12565826ec19c850281d38

SHA256
e55ead5c69cbb70c9d3528a6057076f6fd876695004b78913d8de125ec56c68b

SHA512
0859ab0860feb7b5b13778958b2a8c26bef0a8438af4ff6da108fcd157eb66588bd19156d78a64dce3b2d28bf55659d5a0fec91c20688d96be44508735d72bd9

Download Submit
C:\Windows\SysWOW64\Apmhiq32.exe

Filesize
199KB

MD5
5c5f97decfe75a5ab8066b9c3c0528f1

SHA1
c4c70d4f91f8b8ae215d9088137c6b8530c737ea

SHA256
aa61734a001a2b68201213e6efa9881bf6bef2de673a2846de97824a6924cdc6

SHA512
d4a675f7d3a44743ab63e5e731a35c88ec375e435460a41a61f0446844913c0889045a7b7fd5a21a417c7257870330c34ab97f9fe0c4b92aece2977be1eb093f

Download Submit
C:\Windows\SysWOW64\Bklomh32.exe

Filesize
199KB

MD5
21b7a2c4982f4cd2e9b0621f8ddadca8

SHA1
48f15505e4b1fafdc244d8e0c560bab797755aa7

SHA256
56b78a61ab55f8e8c3029dc368d4b9fffcaeb006ed735e157aac0ded629c6f88

SHA512
68ce0c5ad58d142d19c33603913949b4258a7a106a0fdf6d9d1d09152bb40a5e3e158f55e9f0e06b2795915d505726df17e7ee479967d52954561f8ddced725c

Download Submit
C:\Windows\SysWOW64\Bnlhncgi.exe

Filesize
199KB

MD5
bf0a1c8cbd4d2aeadb33e55f204c53a6

SHA1
fe0e0aa7b4015f2731da636f3ea14ba2902d1bdd

SHA256
a28a6f111bcaabb58b1226e5c80d80176bf15a760e61abcb17da9566e931bfc4

SHA512
730346ea3fce5ecef2cb1e5ba1e1b90366c5bc50d9d1824a82bae0880ed8ca834428285de0e842220cd35a7d6f9411575a37a66f064aaf6fb7dbc2c30268093b

Download Submit
C:\Windows\SysWOW64\Chfegk32.exe

Filesize
199KB

MD5
f4166d7db813b6b7ec634fc349637afd

SHA1
17927710f4fc22f19a2455711d47ef04a47b2919

SHA256
dbf6e0b8606d424cd5b63ff29fa3608bf24711c04d8fbb8951ea1a4a9cf6807d

SHA512
4c28f9959eaf8eb7f1fc13632731ee477d17839930099e988a2cddc28161cca38009927be680940cf4c264a2b8a0796cbb48c1ff02308f0b5efdba6439001bd0

Download Submit
C:\Windows\SysWOW64\Cnfkdb32.exe

Filesize
199KB

MD5
ed6b8389c230d086a8d69fbfe45f7d11

SHA1
aa99e2aff17c4b3f03221780c2feeed4703185a9

SHA256
c0aa05f26b082ddfa8887f1328f94da1fe93b2ee20d92d9dd609b65d3ea491fd

SHA512
e53b8e424fa3274c173b6eb632dca8d8b7172113b67c59c81aa232de344d7c561fc850d408e2e219a50d9b23625a7d90c26ea5ef5f6f699f7f57566488df52a0

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
199KB

MD5
92896e9a4aae263bf81979ce557dd054

SHA1
8804f2122810bd83506e1b6fe4fb69e9c6521998

SHA256
1941a6a78a5cb3fc2e170db526e4e712f6dd215712e2e29ff5fd122e5c94a20d

SHA512
b37275226111d9642c488de6d4eecd9d4a2910c38bb46a9114cc03662c68a1e77d510960aa3471cfa4b56f9a97227111c627fada0c59960b51d292b639a92dea

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
199KB

MD5
e941c82c4a5454c95ca20036ffefd691

SHA1
18121e34e4a37c7441226b5bf81aa30d81a40fb1

SHA256
0c7308126c63c18c7af07db9c356c600b753429e0baacdc60359130d8635f523

SHA512
e219b33fa559df6fecdabac70de49a95c64a01f5dee23f927acd581733efb339eaa2206f30fc2b992c699b6e2ca098f74b7cf7fb7250241de44beb5732051f06

Download Submit
C:\Windows\SysWOW64\Palklf32.exe

Filesize
199KB

MD5
2dcbc707ba3338c6d179b4b1189415af

SHA1
0ad4b4353e4464d1ebe27acb3696081714eb0143

SHA256
a72dcc16e604ee318bd46645685adeb772198d8d37948d3b17df09d89d5e39e4

SHA512
994c88c1d5447c36a3dd8a4122623914833a374f4d19faf1d8b518891e2364c1ab0d0ac8d0c9a05e53080b9bbb4119caea086437c6375e5b3a63fe67c5fe8b25

Download Submit
memory/1304-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1304-90-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1528-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1528-94-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1560-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1560-98-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2216-97-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2216-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2268-99-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2268-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2332-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2332-101-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2332-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2464-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2464-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2800-95-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2800-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4152-92-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4152-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4656-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4656-100-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4880-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4880-93-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4896-91-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4896-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads