Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 14:48
Static task
static1
Behavioral task
behavioral1
Sample
TrojanDownloader.Win32.Berbew.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
TrojanDownloader.Win32.Berbew.exe
Resource
win10v2004-20240802-en
General
-
Target
TrojanDownloader.Win32.Berbew.exe
-
Size
64KB
-
MD5
cccdf86e63e00b3fde66914adbbb2a10
-
SHA1
a7a05109891f2d74edf0b4a50e41a6f7cce9b660
-
SHA256
9aeb72328f6bf79156c5886dde8b93c4316e0401883e21fd5a58fba9cd8f0398
-
SHA512
5aa16914b219e40ca627ab34012ada4891e06bd277fa84e930636b3ab292dc4d9e9cf8925d4e3a70f4786a7064520b128a5eb4e9564cf607d75a41888b99c4da
-
SSDEEP
1536:nfDbH2f2S1IK93IaAY+puMdEWy6rPFW2iwTbW:nf3Q2S2K93IDYMuMdEXuFW2VTbW
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klecfkff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kageia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad TrojanDownloader.Win32.Berbew.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfaalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmmfnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lplbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lplbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdphjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpgionie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbhbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" TrojanDownloader.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmfpmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmimcbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfaalh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmimcbja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgionie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klecfkff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmfpmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfodfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kageia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbhbai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgcnahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgcnahoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdphjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfodfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdbepm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmmfnb32.exe -
Executes dropped EXE 14 IoCs
pid Process 2692 Klecfkff.exe 2968 Kmfpmc32.exe 2588 Kdphjm32.exe 2616 Kfodfh32.exe 796 Kmimcbja.exe 316 Kpgionie.exe 1972 Kdbepm32.exe 1804 Kfaalh32.exe 2256 Kageia32.exe 2648 Kbhbai32.exe 2116 Kgcnahoo.exe 568 Lmmfnb32.exe 2380 Lplbjm32.exe 2084 Lbjofi32.exe -
Loads dropped DLL 32 IoCs
pid Process 2080 TrojanDownloader.Win32.Berbew.exe 2080 TrojanDownloader.Win32.Berbew.exe 2692 Klecfkff.exe 2692 Klecfkff.exe 2968 Kmfpmc32.exe 2968 Kmfpmc32.exe 2588 Kdphjm32.exe 2588 Kdphjm32.exe 2616 Kfodfh32.exe 2616 Kfodfh32.exe 796 Kmimcbja.exe 796 Kmimcbja.exe 316 Kpgionie.exe 316 Kpgionie.exe 1972 Kdbepm32.exe 1972 Kdbepm32.exe 1804 Kfaalh32.exe 1804 Kfaalh32.exe 2256 Kageia32.exe 2256 Kageia32.exe 2648 Kbhbai32.exe 2648 Kbhbai32.exe 2116 Kgcnahoo.exe 2116 Kgcnahoo.exe 568 Lmmfnb32.exe 568 Lmmfnb32.exe 2380 Lplbjm32.exe 2380 Lplbjm32.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe -
Drops file in System32 directory 42 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pdnfmn32.dll TrojanDownloader.Win32.Berbew.exe File created C:\Windows\SysWOW64\Hnnikfij.dll Kmfpmc32.exe File created C:\Windows\SysWOW64\Kpgionie.exe Kmimcbja.exe File created C:\Windows\SysWOW64\Jlflfm32.dll Kfaalh32.exe File created C:\Windows\SysWOW64\Kbhbai32.exe Kageia32.exe File created C:\Windows\SysWOW64\Ipafocdg.dll Lplbjm32.exe File opened for modification C:\Windows\SysWOW64\Kmfpmc32.exe Klecfkff.exe File created C:\Windows\SysWOW64\Kdphjm32.exe Kmfpmc32.exe File opened for modification C:\Windows\SysWOW64\Kmimcbja.exe Kfodfh32.exe File created C:\Windows\SysWOW64\Kfaalh32.exe Kdbepm32.exe File opened for modification C:\Windows\SysWOW64\Kgcnahoo.exe Kbhbai32.exe File created C:\Windows\SysWOW64\Lmmfnb32.exe Kgcnahoo.exe File created C:\Windows\SysWOW64\Kdbepm32.exe Kpgionie.exe File opened for modification C:\Windows\SysWOW64\Kdbepm32.exe Kpgionie.exe File created C:\Windows\SysWOW64\Bndneq32.dll Kageia32.exe File created C:\Windows\SysWOW64\Pigckoki.dll Kgcnahoo.exe File created C:\Windows\SysWOW64\Lplbjm32.exe Lmmfnb32.exe File opened for modification C:\Windows\SysWOW64\Kbhbai32.exe Kageia32.exe File opened for modification C:\Windows\SysWOW64\Lplbjm32.exe Lmmfnb32.exe File created C:\Windows\SysWOW64\Kcadppco.dll Klecfkff.exe File created C:\Windows\SysWOW64\Kfodfh32.exe Kdphjm32.exe File created C:\Windows\SysWOW64\Kcjeje32.dll Kdphjm32.exe File created C:\Windows\SysWOW64\Kmimcbja.exe Kfodfh32.exe File created C:\Windows\SysWOW64\Bodilc32.dll Kfodfh32.exe File opened for modification C:\Windows\SysWOW64\Kageia32.exe Kfaalh32.exe File created C:\Windows\SysWOW64\Jbdhhp32.dll Kmimcbja.exe File created C:\Windows\SysWOW64\Alhpic32.dll Kpgionie.exe File created C:\Windows\SysWOW64\Kageia32.exe Kfaalh32.exe File opened for modification C:\Windows\SysWOW64\Lmmfnb32.exe Kgcnahoo.exe File created C:\Windows\SysWOW64\Kmfpmc32.exe Klecfkff.exe File opened for modification C:\Windows\SysWOW64\Kdphjm32.exe Kmfpmc32.exe File created C:\Windows\SysWOW64\Pgodelnq.dll Kbhbai32.exe File opened for modification C:\Windows\SysWOW64\Lbjofi32.exe Lplbjm32.exe File created C:\Windows\SysWOW64\Klecfkff.exe TrojanDownloader.Win32.Berbew.exe File opened for modification C:\Windows\SysWOW64\Kfodfh32.exe Kdphjm32.exe File opened for modification C:\Windows\SysWOW64\Kfaalh32.exe Kdbepm32.exe File created C:\Windows\SysWOW64\Phblkn32.dll Kdbepm32.exe File created C:\Windows\SysWOW64\Lbjofi32.exe Lplbjm32.exe File opened for modification C:\Windows\SysWOW64\Klecfkff.exe TrojanDownloader.Win32.Berbew.exe File opened for modification C:\Windows\SysWOW64\Kpgionie.exe Kmimcbja.exe File created C:\Windows\SysWOW64\Kgcnahoo.exe Kbhbai32.exe File created C:\Windows\SysWOW64\Dlcdel32.dll Lmmfnb32.exe -
Program crash 1 IoCs
pid pid_target Process 2088 2084 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmimcbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klecfkff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmfpmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfodfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbhbai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lplbjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TrojanDownloader.Win32.Berbew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdphjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfaalh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgionie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmfnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbepm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kageia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgcnahoo.exe -
Modifies registry class 45 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" TrojanDownloader.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcadppco.dll" Klecfkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnikfij.dll" Kmfpmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlflfm32.dll" Kfaalh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbhbai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 TrojanDownloader.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfaalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbhbai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmmfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdbepm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfodfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodilc32.dll" Kfodfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhpic32.dll" Kpgionie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phblkn32.dll" Kdbepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kageia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdel32.dll" Lmmfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll" Lplbjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klecfkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdphjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmimcbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmimcbja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfaalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnfmn32.dll" TrojanDownloader.Win32.Berbew.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} TrojanDownloader.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll" Kmimcbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigckoki.dll" Kgcnahoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID TrojanDownloader.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjeje32.dll" Kdphjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfodfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpgionie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpgionie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll" Kageia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll" Kbhbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgcnahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klecfkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmmfnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmfpmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kageia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgcnahoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lplbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lplbjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node TrojanDownloader.Win32.Berbew.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdphjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdbepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmfpmc32.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2692 2080 TrojanDownloader.Win32.Berbew.exe 30 PID 2080 wrote to memory of 2692 2080 TrojanDownloader.Win32.Berbew.exe 30 PID 2080 wrote to memory of 2692 2080 TrojanDownloader.Win32.Berbew.exe 30 PID 2080 wrote to memory of 2692 2080 TrojanDownloader.Win32.Berbew.exe 30 PID 2692 wrote to memory of 2968 2692 Klecfkff.exe 31 PID 2692 wrote to memory of 2968 2692 Klecfkff.exe 31 PID 2692 wrote to memory of 2968 2692 Klecfkff.exe 31 PID 2692 wrote to memory of 2968 2692 Klecfkff.exe 31 PID 2968 wrote to memory of 2588 2968 Kmfpmc32.exe 32 PID 2968 wrote to memory of 2588 2968 Kmfpmc32.exe 32 PID 2968 wrote to memory of 2588 2968 Kmfpmc32.exe 32 PID 2968 wrote to memory of 2588 2968 Kmfpmc32.exe 32 PID 2588 wrote to memory of 2616 2588 Kdphjm32.exe 33 PID 2588 wrote to memory of 2616 2588 Kdphjm32.exe 33 PID 2588 wrote to memory of 2616 2588 Kdphjm32.exe 33 PID 2588 wrote to memory of 2616 2588 Kdphjm32.exe 33 PID 2616 wrote to memory of 796 2616 Kfodfh32.exe 34 PID 2616 wrote to memory of 796 2616 Kfodfh32.exe 34 PID 2616 wrote to memory of 796 2616 Kfodfh32.exe 34 PID 2616 wrote to memory of 796 2616 Kfodfh32.exe 34 PID 796 wrote to memory of 316 796 Kmimcbja.exe 35 PID 796 wrote to memory of 316 796 Kmimcbja.exe 35 PID 796 wrote to memory of 316 796 Kmimcbja.exe 35 PID 796 wrote to memory of 316 796 Kmimcbja.exe 35 PID 316 wrote to memory of 1972 316 Kpgionie.exe 36 PID 316 wrote to memory of 1972 316 Kpgionie.exe 36 PID 316 wrote to memory of 1972 316 Kpgionie.exe 36 PID 316 wrote to memory of 1972 316 Kpgionie.exe 36 PID 1972 wrote to memory of 1804 1972 Kdbepm32.exe 37 PID 1972 wrote to memory of 1804 1972 Kdbepm32.exe 37 PID 1972 wrote to memory of 1804 1972 Kdbepm32.exe 37 PID 1972 wrote to memory of 1804 1972 Kdbepm32.exe 37 PID 1804 wrote to memory of 2256 1804 Kfaalh32.exe 38 PID 1804 wrote to memory of 2256 1804 Kfaalh32.exe 38 PID 1804 wrote to memory of 2256 1804 Kfaalh32.exe 38 PID 1804 wrote to memory of 2256 1804 Kfaalh32.exe 38 PID 2256 wrote to memory of 2648 2256 Kageia32.exe 39 PID 2256 wrote to memory of 2648 2256 Kageia32.exe 39 PID 2256 wrote to memory of 2648 2256 Kageia32.exe 39 PID 2256 wrote to memory of 2648 2256 Kageia32.exe 39 PID 2648 wrote to memory of 2116 2648 Kbhbai32.exe 40 PID 2648 wrote to memory of 2116 2648 Kbhbai32.exe 40 PID 2648 wrote to memory of 2116 2648 Kbhbai32.exe 40 PID 2648 wrote to memory of 2116 2648 Kbhbai32.exe 40 PID 2116 wrote to memory of 568 2116 Kgcnahoo.exe 41 PID 2116 wrote to memory of 568 2116 Kgcnahoo.exe 41 PID 2116 wrote to memory of 568 2116 Kgcnahoo.exe 41 PID 2116 wrote to memory of 568 2116 Kgcnahoo.exe 41 PID 568 wrote to memory of 2380 568 Lmmfnb32.exe 42 PID 568 wrote to memory of 2380 568 Lmmfnb32.exe 42 PID 568 wrote to memory of 2380 568 Lmmfnb32.exe 42 PID 568 wrote to memory of 2380 568 Lmmfnb32.exe 42 PID 2380 wrote to memory of 2084 2380 Lplbjm32.exe 43 PID 2380 wrote to memory of 2084 2380 Lplbjm32.exe 43 PID 2380 wrote to memory of 2084 2380 Lplbjm32.exe 43 PID 2380 wrote to memory of 2084 2380 Lplbjm32.exe 43 PID 2084 wrote to memory of 2088 2084 Lbjofi32.exe 44 PID 2084 wrote to memory of 2088 2084 Lbjofi32.exe 44 PID 2084 wrote to memory of 2088 2084 Lbjofi32.exe 44 PID 2084 wrote to memory of 2088 2084 Lbjofi32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Klecfkff.exeC:\Windows\system32\Klecfkff.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Kmfpmc32.exeC:\Windows\system32\Kmfpmc32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Kdphjm32.exeC:\Windows\system32\Kdphjm32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Kfodfh32.exeC:\Windows\system32\Kfodfh32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Kmimcbja.exeC:\Windows\system32\Kmimcbja.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Kpgionie.exeC:\Windows\system32\Kpgionie.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Kdbepm32.exeC:\Windows\system32\Kdbepm32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Kfaalh32.exeC:\Windows\system32\Kfaalh32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Kageia32.exeC:\Windows\system32\Kageia32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Kbhbai32.exeC:\Windows\system32\Kbhbai32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Kgcnahoo.exeC:\Windows\system32\Kgcnahoo.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Lmmfnb32.exeC:\Windows\system32\Lmmfnb32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\Lplbjm32.exeC:\Windows\system32\Lplbjm32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Lbjofi32.exeC:\Windows\system32\Lbjofi32.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 14016⤵
- Loads dropped DLL
- Program crash
PID:2088
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD52e80d3671f0fb42a2b5a9788b580eef7
SHA14ac28b0615f96c547f26aa3f18f424b2700b27ef
SHA25645882413f7982c57b6203d31953711aa319e3df8a2e1a484ade69d3babfe7191
SHA51270087969bea3c754da1f0b911f969b08c3c5e686d17a9875a2849ce2fdace53696daad297d8ce948e75e7a223464704fb7ac4d7a9a577f4c8a301d80a13dd480
-
Filesize
64KB
MD5312782883d20ccc65c6532255730733e
SHA13e838b9a2b46769773904b3c179cbd6824f795b0
SHA2568a5969d54d64e537d20feaff97223a88b64c19a2f51cf8a7ac91d1b4a0b8a377
SHA5129493e9d6e9ae18ce56cb5c5dbf7206d1f15c3216bfe2d68fbe11691fb53cb49469bc2ba3ee1b4e42488173c71758136342ba00a675a6c23045b216117c8e6e81
-
Filesize
64KB
MD5325dfede2b16070a7efd81a2685bddc1
SHA1ba0e043d325c5df2c202974b17c64bdf4c1ba974
SHA25681e6c9cf2e535b069126f1ad976dd331538c671e33fd34b9b1ce752bab98b7eb
SHA5123fa98a6045f0a6d2112d66527d961ea2ca07f773f0efe47614aa0489307c72e02f1296f0a3ac80167fd7812649cae5eaf0ca5211c7c9f495323afc8ed5af868f
-
Filesize
64KB
MD59dfa1e154c857eef86969906130a479e
SHA1863b542c253523953e7909b8a6b662f582f9609c
SHA25662dced18b5a17cfb9f72620728bffd9cdaa777047d8e619328c366108c236659
SHA5127baf46ae5385240b4fb1802e5dae024e42d3ee6a80cafebe9d220d59411890927dba58e1ca77da3a94e27a8082045301e6f7afcf7486b04e546f6e1311c4d8e9
-
Filesize
64KB
MD5d8da1ed37e200279f601978fefa41a84
SHA1180cfb72e487694a4af2b529498b1594508740d5
SHA256a66e785392c835cdc7bc7f2c6ffd91bd92f294a23045359e5faa7a65bc0fcff1
SHA5123de14e92c92d6f400d4f0644b9e67a71adfd2ad0780da924b66b929fb963b0249be408c5e97d064202855c48898b47148d059a665306c6847c7ec82b973335d3
-
Filesize
64KB
MD5535e53dcb59b296a5ee3e9c8911e24bb
SHA1b549c468d27125cf69e16d1bcff38603c1c8b1e8
SHA256fbc364079323578611c6540a8b61471528e2ea9a1fb44227bb361c1197f866cb
SHA51237c3e75cd1265dc158ee5664c759c51f1f0a61cebaf7a7b04e5982863b2fb09cd166f61042e794e207510ad694d670ab2e5c4da8a2d5fb9c68a788530d71b76b
-
Filesize
64KB
MD53dc21ba35f6ddda038221f9cb78b123c
SHA123e79e77b735dffafc4eaf861f58d5533d3563a4
SHA256cea101525106add3f95c3cbf0220f2a524bcee74f1d4acb6b8d6d542a604c755
SHA512f170c72a48304be5c05967d9447f384ab9b85dc66272db3e45bf6c9ceff7e8455aca5271f2832fd3a81b7f7bbcaa1dd992b3520765a06b27dfdec5db12a818a6
-
Filesize
64KB
MD5422c968e2a8674b943abb42cdaf0f5a1
SHA1c3cd012fff7834b5124c7ee11733a228747c25a0
SHA2566aa166d500631ff2c79b386b3b0fa6f9d2ce2760b5bbf7a05cf645f98b4c5d45
SHA51201903d2526da76615848a87f46bbdddde43df0075e26d55f4c2b2b038df982dced4e60961c9d42f1a976056e8ab23bc5333db02abfd0979f3951846f8d31a6e7
-
Filesize
64KB
MD5f69557fd3964ef90aa90e2c7a81e7095
SHA104cf25d3da14e8e319e5dc4d8c06a3e1b350f843
SHA2568dc3e6ad80b2f7ffc0e8c5ade24990dab309e0b03cddb090d48770d06643186a
SHA512eae431e65159d275a1fb6836ba63237e12070da82b8c71faf29b61d9bdb8f9ef4d7f0b00d3355b5b0c4585adc2ea1a754b266fcb3d8579600ce5e55011c28aec
-
Filesize
64KB
MD5c47cf66c62cd99a96c49d27434f9832c
SHA111864a078070592e63b2852b9ec409160c323b95
SHA256e7c3327b2d0613f8698d7f38178ca276d42257ceadb0169304f775aae35d6266
SHA5129fd7bdaedbf7322beba72196623db7b923fbbd194a1bc17ec092e9afac82d36372f962b601c69c95f1c020e654a71795c37f7511a89d8c8143e3dd4026ca9024
-
Filesize
64KB
MD523e3ebecd8744a91295f9ca379776476
SHA10b07bd9feea5d6f27a878fb1db21df0ff84b44bc
SHA2562dbaa3b67e98380a793ebd62a11d6e3be3d9d2eb2c9814f041b071f73e8f3f88
SHA51236c2ecb2a67145595822d8f98fe765f97af411d7658d792e97d1fa4b2a981805861f2c3f434deffaed85023b4920e329ae507a6eddbba5586de08a10591ce9f6
-
Filesize
64KB
MD5e8d4288b0d9a110fba656811c72b0884
SHA1aab64a1e5d00625eb49c12736069c8f096d02162
SHA256ab4ae7a5eb15b413585cc93141d70d68475f87f0b4bdbf30a122518a573d1673
SHA512f4f072140dd8f4d2941323e910f2fd8ced8467aa2d73d5d3e5270464b1d0c378722677ae1caab749f5447dfd1634f681cc97191101aeed1ea7c75d8c78fdc448
-
Filesize
64KB
MD5607dc370a7422d5c847c9ff6933aac1b
SHA1ce9a1157164b99b949bc42ab49f2da4b3fdf623b
SHA25693af9adba5d9e4019735b5a167df861d8b01022810ea82bca21de4f60f8bbf69
SHA51293f3c55cc5076a2ee46773ae1b615fb6869cb6663a2c555cccb420c6d708c40f016a53b656c89f4b2d562c8d5d866ab2e3b0947f0792ba5e5dd168504d82da7a
-
Filesize
64KB
MD5a34b72f62e5de40bb075b3f2930116d5
SHA1c70acb91b199fcdcf79e26c521fdf4f65bbcbe6d
SHA2563832b432b15be2648a0f41a2f6c37d307d0a94dbe80205072c204ed30388c909
SHA512f9181c094f68129ec46f855b9ffb6f30972f44be62d295d2207ba772f5dedaee750e76ae11ebf00fe63dfdb98a13619552f9f6de8b70cebcf7ce354285fb45e3