Analysis
-
max time kernel
89s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 11:09
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Berbew.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Berbew.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Berbew.exe
-
Size
76KB
-
MD5
da02ba2c614d43399c49db8b311cae70
-
SHA1
2e4f75630f125096d6676e2d0e978a9e6f67e861
-
SHA256
63fbe941ea05ed64840ae770b72c1f842147be1b95df899c8928dc2cfdb0fef0
-
SHA512
3e1772f0c69726e198cf07cc6dac5f479864f2090f48e2a8ece44e7a989223640c35718974bf39600bb0b288a4430bd69160c2a6aa9de0753419d34f2342055b
-
SSDEEP
1536:QKYuhP7sZMZlHMUCQOdgdYNVSbX5xoUWHioQV+/eCeyvCQ:Jlhz2MZlsUCkWHrk+
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs
Processes:
Cdcjgnbc.exeCobhdhha.exeCapdpcge.exeCcpqjfnh.exeCenmfbml.exeChmibmlo.exeCaenkc32.exeBackdoor.Win32.Berbew.exeCgbfcjag.exeChjmmnnb.exeCofaog32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdcjgnbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdcjgnbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cobhdhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Capdpcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccpqjfnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenmfbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chmibmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caenkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caenkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Backdoor.Win32.Berbew.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Capdpcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpqjfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cenmfbml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chmibmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgbfcjag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chjmmnnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chjmmnnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cofaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cofaog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgbfcjag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Backdoor.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cobhdhha.exe -
Executes dropped EXE 11 IoCs
Processes:
Cobhdhha.exeCapdpcge.exeChjmmnnb.exeCcpqjfnh.exeCenmfbml.exeChmibmlo.exeCofaog32.exeCaenkc32.exeCdcjgnbc.exeCgbfcjag.exeCoindgbi.exepid process 2216 Cobhdhha.exe 2884 Capdpcge.exe 2880 Chjmmnnb.exe 2288 Ccpqjfnh.exe 2708 Cenmfbml.exe 2736 Chmibmlo.exe 2752 Cofaog32.exe 2268 Caenkc32.exe 444 Cdcjgnbc.exe 3056 Cgbfcjag.exe 1088 Coindgbi.exe -
Loads dropped DLL 22 IoCs
Processes:
Backdoor.Win32.Berbew.exeCobhdhha.exeCapdpcge.exeChjmmnnb.exeCcpqjfnh.exeCenmfbml.exeChmibmlo.exeCofaog32.exeCaenkc32.exeCdcjgnbc.exeCgbfcjag.exepid process 2748 Backdoor.Win32.Berbew.exe 2748 Backdoor.Win32.Berbew.exe 2216 Cobhdhha.exe 2216 Cobhdhha.exe 2884 Capdpcge.exe 2884 Capdpcge.exe 2880 Chjmmnnb.exe 2880 Chjmmnnb.exe 2288 Ccpqjfnh.exe 2288 Ccpqjfnh.exe 2708 Cenmfbml.exe 2708 Cenmfbml.exe 2736 Chmibmlo.exe 2736 Chmibmlo.exe 2752 Cofaog32.exe 2752 Cofaog32.exe 2268 Caenkc32.exe 2268 Caenkc32.exe 444 Cdcjgnbc.exe 444 Cdcjgnbc.exe 3056 Cgbfcjag.exe 3056 Cgbfcjag.exe -
Drops file in System32 directory 33 IoCs
Processes:
Backdoor.Win32.Berbew.exeCobhdhha.exeCcpqjfnh.exeChmibmlo.exeCaenkc32.exeCdcjgnbc.exeCgbfcjag.exeCapdpcge.exeCofaog32.exeChjmmnnb.exeCenmfbml.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Cobhdhha.exe Backdoor.Win32.Berbew.exe File created C:\Windows\SysWOW64\Capdpcge.exe Cobhdhha.exe File opened for modification C:\Windows\SysWOW64\Cenmfbml.exe Ccpqjfnh.exe File created C:\Windows\SysWOW64\Elnlcjph.dll Chmibmlo.exe File created C:\Windows\SysWOW64\Cdcjgnbc.exe Caenkc32.exe File created C:\Windows\SysWOW64\Cgbfcjag.exe Cdcjgnbc.exe File opened for modification C:\Windows\SysWOW64\Coindgbi.exe Cgbfcjag.exe File created C:\Windows\SysWOW64\Hlilhb32.dll Ccpqjfnh.exe File opened for modification C:\Windows\SysWOW64\Chjmmnnb.exe Capdpcge.exe File created C:\Windows\SysWOW64\Clmkgm32.dll Capdpcge.exe File created C:\Windows\SysWOW64\Befddlni.dll Cdcjgnbc.exe File created C:\Windows\SysWOW64\Chjmmnnb.exe Capdpcge.exe File created C:\Windows\SysWOW64\Hakhbifq.dll Cofaog32.exe File opened for modification C:\Windows\SysWOW64\Cdcjgnbc.exe Caenkc32.exe File created C:\Windows\SysWOW64\Cobhdhha.exe Backdoor.Win32.Berbew.exe File created C:\Windows\SysWOW64\Cmfjgc32.dll Cobhdhha.exe File opened for modification C:\Windows\SysWOW64\Ccpqjfnh.exe Chjmmnnb.exe File created C:\Windows\SysWOW64\Ggqbii32.dll Chjmmnnb.exe File created C:\Windows\SysWOW64\Cofaog32.exe Chmibmlo.exe File opened for modification C:\Windows\SysWOW64\Cgbfcjag.exe Cdcjgnbc.exe File created C:\Windows\SysWOW64\Cenmfbml.exe Ccpqjfnh.exe File created C:\Windows\SysWOW64\Mpgoaiep.dll Cenmfbml.exe File created C:\Windows\SysWOW64\Iafehn32.dll Caenkc32.exe File created C:\Windows\SysWOW64\Coindgbi.exe Cgbfcjag.exe File created C:\Windows\SysWOW64\Ohodgb32.dll Cgbfcjag.exe File opened for modification C:\Windows\SysWOW64\Caenkc32.exe Cofaog32.exe File created C:\Windows\SysWOW64\Hkfggj32.dll Backdoor.Win32.Berbew.exe File opened for modification C:\Windows\SysWOW64\Capdpcge.exe Cobhdhha.exe File created C:\Windows\SysWOW64\Ccpqjfnh.exe Chjmmnnb.exe File created C:\Windows\SysWOW64\Chmibmlo.exe Cenmfbml.exe File opened for modification C:\Windows\SysWOW64\Chmibmlo.exe Cenmfbml.exe File opened for modification C:\Windows\SysWOW64\Cofaog32.exe Chmibmlo.exe File created C:\Windows\SysWOW64\Caenkc32.exe Cofaog32.exe -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Cdcjgnbc.exeCgbfcjag.exeCoindgbi.exeBackdoor.Win32.Berbew.exeCobhdhha.exeCapdpcge.exeChjmmnnb.exeCcpqjfnh.exeCenmfbml.exeChmibmlo.exeCofaog32.exeCaenkc32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdcjgnbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgbfcjag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coindgbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Backdoor.Win32.Berbew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cobhdhha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capdpcge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chjmmnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpqjfnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenmfbml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chmibmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofaog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caenkc32.exe -
Modifies registry class 36 IoCs
Processes:
Backdoor.Win32.Berbew.exeCofaog32.exeCdcjgnbc.exeCapdpcge.exeChjmmnnb.exeCenmfbml.exeCgbfcjag.exeCobhdhha.exeChmibmlo.exeCaenkc32.exeCcpqjfnh.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} Backdoor.Win32.Berbew.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cofaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakhbifq.dll" Cofaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befddlni.dll" Cdcjgnbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdcjgnbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfggj32.dll" Backdoor.Win32.Berbew.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Capdpcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggqbii32.dll" Chjmmnnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpgoaiep.dll" Cenmfbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cenmfbml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgbfcjag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID Backdoor.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cobhdhha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chjmmnnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elnlcjph.dll" Chmibmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chjmmnnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chmibmlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caenkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgbfcjag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cenmfbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Capdpcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccpqjfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlilhb32.dll" Ccpqjfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafehn32.dll" Caenkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caenkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Backdoor.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmfjgc32.dll" Cobhdhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccpqjfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chmibmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cofaog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node Backdoor.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Backdoor.Win32.Berbew.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cobhdhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmkgm32.dll" Capdpcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdcjgnbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll" Cgbfcjag.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
Backdoor.Win32.Berbew.exeCobhdhha.exeCapdpcge.exeChjmmnnb.exeCcpqjfnh.exeCenmfbml.exeChmibmlo.exeCofaog32.exeCaenkc32.exeCdcjgnbc.exeCgbfcjag.exedescription pid process target process PID 2748 wrote to memory of 2216 2748 Backdoor.Win32.Berbew.exe Cobhdhha.exe PID 2748 wrote to memory of 2216 2748 Backdoor.Win32.Berbew.exe Cobhdhha.exe PID 2748 wrote to memory of 2216 2748 Backdoor.Win32.Berbew.exe Cobhdhha.exe PID 2748 wrote to memory of 2216 2748 Backdoor.Win32.Berbew.exe Cobhdhha.exe PID 2216 wrote to memory of 2884 2216 Cobhdhha.exe Capdpcge.exe PID 2216 wrote to memory of 2884 2216 Cobhdhha.exe Capdpcge.exe PID 2216 wrote to memory of 2884 2216 Cobhdhha.exe Capdpcge.exe PID 2216 wrote to memory of 2884 2216 Cobhdhha.exe Capdpcge.exe PID 2884 wrote to memory of 2880 2884 Capdpcge.exe Chjmmnnb.exe PID 2884 wrote to memory of 2880 2884 Capdpcge.exe Chjmmnnb.exe PID 2884 wrote to memory of 2880 2884 Capdpcge.exe Chjmmnnb.exe PID 2884 wrote to memory of 2880 2884 Capdpcge.exe Chjmmnnb.exe PID 2880 wrote to memory of 2288 2880 Chjmmnnb.exe Ccpqjfnh.exe PID 2880 wrote to memory of 2288 2880 Chjmmnnb.exe Ccpqjfnh.exe PID 2880 wrote to memory of 2288 2880 Chjmmnnb.exe Ccpqjfnh.exe PID 2880 wrote to memory of 2288 2880 Chjmmnnb.exe Ccpqjfnh.exe PID 2288 wrote to memory of 2708 2288 Ccpqjfnh.exe Cenmfbml.exe PID 2288 wrote to memory of 2708 2288 Ccpqjfnh.exe Cenmfbml.exe PID 2288 wrote to memory of 2708 2288 Ccpqjfnh.exe Cenmfbml.exe PID 2288 wrote to memory of 2708 2288 Ccpqjfnh.exe Cenmfbml.exe PID 2708 wrote to memory of 2736 2708 Cenmfbml.exe Chmibmlo.exe PID 2708 wrote to memory of 2736 2708 Cenmfbml.exe Chmibmlo.exe PID 2708 wrote to memory of 2736 2708 Cenmfbml.exe Chmibmlo.exe PID 2708 wrote to memory of 2736 2708 Cenmfbml.exe Chmibmlo.exe PID 2736 wrote to memory of 2752 2736 Chmibmlo.exe Cofaog32.exe PID 2736 wrote to memory of 2752 2736 Chmibmlo.exe Cofaog32.exe PID 2736 wrote to memory of 2752 2736 Chmibmlo.exe Cofaog32.exe PID 2736 wrote to memory of 2752 2736 Chmibmlo.exe Cofaog32.exe PID 2752 wrote to memory of 2268 2752 Cofaog32.exe Caenkc32.exe PID 2752 wrote to memory of 2268 2752 Cofaog32.exe Caenkc32.exe PID 2752 wrote to memory of 2268 2752 Cofaog32.exe Caenkc32.exe PID 2752 wrote to memory of 2268 2752 Cofaog32.exe Caenkc32.exe PID 2268 wrote to memory of 444 2268 Caenkc32.exe Cdcjgnbc.exe PID 2268 wrote to memory of 444 2268 Caenkc32.exe Cdcjgnbc.exe PID 2268 wrote to memory of 444 2268 Caenkc32.exe Cdcjgnbc.exe PID 2268 wrote to memory of 444 2268 Caenkc32.exe Cdcjgnbc.exe PID 444 wrote to memory of 3056 444 Cdcjgnbc.exe Cgbfcjag.exe PID 444 wrote to memory of 3056 444 Cdcjgnbc.exe Cgbfcjag.exe PID 444 wrote to memory of 3056 444 Cdcjgnbc.exe Cgbfcjag.exe PID 444 wrote to memory of 3056 444 Cdcjgnbc.exe Cgbfcjag.exe PID 3056 wrote to memory of 1088 3056 Cgbfcjag.exe Coindgbi.exe PID 3056 wrote to memory of 1088 3056 Cgbfcjag.exe Coindgbi.exe PID 3056 wrote to memory of 1088 3056 Cgbfcjag.exe Coindgbi.exe PID 3056 wrote to memory of 1088 3056 Cgbfcjag.exe Coindgbi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Cobhdhha.exeC:\Windows\system32\Cobhdhha.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Capdpcge.exeC:\Windows\system32\Capdpcge.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Chjmmnnb.exeC:\Windows\system32\Chjmmnnb.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Ccpqjfnh.exeC:\Windows\system32\Ccpqjfnh.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Cenmfbml.exeC:\Windows\system32\Cenmfbml.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Chmibmlo.exeC:\Windows\system32\Chmibmlo.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Cofaog32.exeC:\Windows\system32\Cofaog32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Caenkc32.exeC:\Windows\system32\Caenkc32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Cdcjgnbc.exeC:\Windows\system32\Cdcjgnbc.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\Cgbfcjag.exeC:\Windows\system32\Cgbfcjag.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Coindgbi.exeC:\Windows\system32\Coindgbi.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1088
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD5bc7f0c7acef9f199b7efebd9b217f47e
SHA165256da27ea36710e0ae7431d74691c6266d600f
SHA256a02f1ffc77581ce2a7369152f7302b7c5a5959be930a35f33bb0ba929eab493e
SHA5128124060cb666c7384a9f548e9eca2bed8d17e7c3958bd4182e53a2bba3edc337d0f5930514d97b484f31bf431c6a694730a06a7a94537d9b3491a4b183120f4e
-
Filesize
76KB
MD527fa79d3de4e40585b0857cbe422003e
SHA1c51f8e4b377e7f352b092006f528853b394c1147
SHA256dda0abf35fe9db02cff0bc5cf9872d9c775e490c97b390a1419506563ed44528
SHA5124853f55ac71cebba9178829fdbd40caf5b1d18f6f75b1ec9313edc0665ba1865ba982e9ad110f746ecf6869969561edfb26c5d249b4b45738e4295fd608de142
-
Filesize
76KB
MD5acaeab15c633bb829638bafee9dea25c
SHA16124ffdf6ea9bf7bc3bbc7712b0a918be6824645
SHA256efdf4e70654be3831323c7fd33b15e9bf81e5e932a43fbd288e0b4a41b966dd6
SHA512c214221d45105f69591a9df3b4d9c8316989417271b098fc93bc6fc95dee77b52db8834f00f1c14122cf0fc8282ba33251be43da65b65fb72c6dcda5e94f1fe3
-
Filesize
76KB
MD5341b67f58bbc0da9aa7e9848c0d61b64
SHA16daa4d0bfc28e61a23a6125395e6d89e68547bb8
SHA256d39b988d9298d0b6335f63ecc6202d8cc43ba8d0a2870a07975f093ba2a8f7b0
SHA51237b9729a3d449b4b5af1940bd41604eed33b9f3fce1b9df7d4c01ce6fb66a0166f380b79c7e2bf66898cfae6baf4712d50f10755ca2bc84868ca81a9a597531e
-
Filesize
76KB
MD559019af6b32f3d30a79c68a4962af2b6
SHA1a0c07fc3b29254897b9046e15c893779cee58511
SHA256e26d3ed443b02330468a8de2c648c7cd5e6d8ef7ba0d85a467a10747ddf29234
SHA5124e9ab798930dbf8a00cb4b04c0bb92c722a55248527182f4f1d2f19ebbb361e02f7317c360d0b31fbceb272fcb6367d85eeec94b61cd50d88dc7474167489a5d
-
Filesize
76KB
MD52b79cbc05b6c7322bd09915a0ff71476
SHA10ee82ae6a2c80b1d9fa47a1afb291e6a11834d60
SHA256268b06bde9486cf88121030cf48273b809f1656d87e41c697f4211efa8f44897
SHA512ab647472181d2967799d88940a5258d9612898b2a61ad501346317fb9d672c7178e1739c2695c431d09cdb2550bdb727e8b65ee8b9034e66e8a74ff76cb4525d
-
Filesize
76KB
MD550f7672f2fb3f166e15b12324d065ddc
SHA1bde7d27732e8ad04acdef4636e07bd5dbe154a6c
SHA2565027884aebb434d66f4a990ad1a2c7f7f7021dc2edd0604072d774ae91c441ef
SHA512dbdd2c23df3fec31ba2a4954582f50817cdb362f6a57ac57106e5aa6b9981ec50cf0161a43e31bae7ac68729b0b908745e82e10758fc8c69007807e97c2c250e
-
Filesize
76KB
MD57ece7d9fbe5d5c626b4b5ab5b158d361
SHA1e6afd4f8f0743d58f1c754d24bd979d80b2ba53c
SHA256e1bad93c32f46e66eb01860743f66d3eb86d9fd03c99715133b7af506f4a3100
SHA5125bf17028cee9b8dc4e9ab687ccb887966675a5a84bc6d1691753868109cdff7e75d576e54f6bf4b1342c73f141d37b0641d14e77a761505296b62d724d6ec4b4
-
Filesize
76KB
MD55b4094b39f015d3eb9707f09fc82a327
SHA1788a916c86aef59a39960d45326e45d33a734bb4
SHA2567a9291ad23a8c68eadc8901987ab1d2e6fb5595802ef489dc568bae9279cae36
SHA5128fef6782f9298f1c53ddc369c48fa49863e2b85a3b2ada6e91b38d1a7a830b1fae81bac480bbfad7114b7ab3fdf469d13f4051d7399026b2a02c82585dc254d4
-
Filesize
76KB
MD51f48a20b9e1c7ca92a0364943237a0e5
SHA1f318070ac1e168582a8978f6aebaeb5d9b6a2813
SHA2562a44b3a3ac6e6cd59e38682f2a50657c61b1c8375ade4c20e26af310d882ae48
SHA5122de87564bfdbb3115df4cea5893089425ea24e113dc80f1001c7c6a282f41fa66506b0475fb94157ae9d17f783f4df933fb0b72090cd41531f47ea79f79b2ba5
-
Filesize
76KB
MD58f91a31afc6890c01a6235c4e39495d3
SHA10e5b29eeae6fb7e9b8f0cc7e71e804c334fe4c95
SHA25642ac71821f1c1a24145871f1ac98e57b059049b1a8ca2f6e08c8a7766626afdd
SHA512d5c77cfa4bd1c2f7d6aa95dcdff402537fb8794a5f9cc4603923c3755c9b0c0e397ca51897a9e3b429a73e9a8f0d89e52fe92e1b300db6d954b2d548b7b6ab0b