berbew | bbc582dbe8ef14efea30ed35d70e90caa750da926983bc0ef093a8eda3f7d2b5

Analysis

max time kernel
93s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Backdoor.Win32.Padodor.SK.exe
Size

128KB
MD5

7b57936fff3e438ebb90d2939c4e00c0
SHA1

81c97fb9376b505f1120df17678e8b7385065bce
SHA256

bbc582dbe8ef14efea30ed35d70e90caa750da926983bc0ef093a8eda3f7d2b5
SHA512

4c93a9e41ddf80c71cea6622c4c07e3382415b72ea166a5e90024e28db069e046f580086ce6909450ca0956860d70dfaee527210f1d4574c6a44620db1b799e0
SSDEEP

1536:f+v9G4v+lcK33jcJ7I2CXstgJrBfGzRQDfRfRa9HprmRfRJCLIXG:IGDlcmWxis2JFeeDf5wkpHxG

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Backdoor.Win32.Padodor.SK.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Backdoor.Win32.Padodor.SK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 13 IoCs

pid	Process
4448	Dhfajjoj.exe
3496	Dopigd32.exe
3564	Dmcibama.exe
2824	Dhhnpjmh.exe
2420	Dobfld32.exe
2536	Delnin32.exe
1472	Dfnjafap.exe
4204	Daconoae.exe
3492	Dhmgki32.exe
2904	Dogogcpo.exe
2876	Daekdooc.exe
2664	Dhocqigp.exe
3136	Dmllipeg.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Backdoor.Win32.Padodor.SK.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Backdoor.Win32.Padodor.SK.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Backdoor.Win32.Padodor.SK.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dhfajjoj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4184	3136	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Backdoor.Win32.Padodor.SK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe

Modifies registry class 42 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	Backdoor.Win32.Padodor.SK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	Backdoor.Win32.Padodor.SK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Backdoor.Win32.Padodor.SK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Backdoor.Win32.Padodor.SK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Backdoor.Win32.Padodor.SK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	Backdoor.Win32.Padodor.SK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3852 wrote to memory of 4448	3852	Backdoor.Win32.Padodor.SK.exe	82
PID 3852 wrote to memory of 4448	3852	Backdoor.Win32.Padodor.SK.exe	82
PID 3852 wrote to memory of 4448	3852	Backdoor.Win32.Padodor.SK.exe	82
PID 4448 wrote to memory of 3496	4448	Dhfajjoj.exe	83
PID 4448 wrote to memory of 3496	4448	Dhfajjoj.exe	83
PID 4448 wrote to memory of 3496	4448	Dhfajjoj.exe	83
PID 3496 wrote to memory of 3564	3496	Dopigd32.exe	84
PID 3496 wrote to memory of 3564	3496	Dopigd32.exe	84
PID 3496 wrote to memory of 3564	3496	Dopigd32.exe	84
PID 3564 wrote to memory of 2824	3564	Dmcibama.exe	85
PID 3564 wrote to memory of 2824	3564	Dmcibama.exe	85
PID 3564 wrote to memory of 2824	3564	Dmcibama.exe	85
PID 2824 wrote to memory of 2420	2824	Dhhnpjmh.exe	86
PID 2824 wrote to memory of 2420	2824	Dhhnpjmh.exe	86
PID 2824 wrote to memory of 2420	2824	Dhhnpjmh.exe	86
PID 2420 wrote to memory of 2536	2420	Dobfld32.exe	87
PID 2420 wrote to memory of 2536	2420	Dobfld32.exe	87
PID 2420 wrote to memory of 2536	2420	Dobfld32.exe	87
PID 2536 wrote to memory of 1472	2536	Delnin32.exe	88
PID 2536 wrote to memory of 1472	2536	Delnin32.exe	88
PID 2536 wrote to memory of 1472	2536	Delnin32.exe	88
PID 1472 wrote to memory of 4204	1472	Dfnjafap.exe	89
PID 1472 wrote to memory of 4204	1472	Dfnjafap.exe	89
PID 1472 wrote to memory of 4204	1472	Dfnjafap.exe	89
PID 4204 wrote to memory of 3492	4204	Daconoae.exe	90
PID 4204 wrote to memory of 3492	4204	Daconoae.exe	90
PID 4204 wrote to memory of 3492	4204	Daconoae.exe	90
PID 3492 wrote to memory of 2904	3492	Dhmgki32.exe	91
PID 3492 wrote to memory of 2904	3492	Dhmgki32.exe	91
PID 3492 wrote to memory of 2904	3492	Dhmgki32.exe	91
PID 2904 wrote to memory of 2876	2904	Dogogcpo.exe	92
PID 2904 wrote to memory of 2876	2904	Dogogcpo.exe	92
PID 2904 wrote to memory of 2876	2904	Dogogcpo.exe	92
PID 2876 wrote to memory of 2664	2876	Daekdooc.exe	93
PID 2876 wrote to memory of 2664	2876	Daekdooc.exe	93
PID 2876 wrote to memory of 2664	2876	Daekdooc.exe	93
PID 2664 wrote to memory of 3136	2664	Dhocqigp.exe	94
PID 2664 wrote to memory of 3136	2664	Dhocqigp.exe	94
PID 2664 wrote to memory of 3136	2664	Dhocqigp.exe	94

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Windows\SysWOW64\Dhfajjoj.exe
  C:\Windows\system32\Dhfajjoj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\SysWOW64\Dopigd32.exe
    C:\Windows\system32\Dopigd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\Windows\SysWOW64\Dmcibama.exe
      C:\Windows\system32\Dmcibama.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3564
    - - C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
      - C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 408
        15⤵
        Program crash
        
        PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3136 -ip 3136
1⤵
PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Alcidkmm.dll

Filesize
7KB

MD5
5885b82d22cabaefdbad95594d5e160d

SHA1
d8ee043930271f0da76b8b96eecde5a3692a3309

SHA256
411129c3336737e5b9797db0d685f5b6c73b0cb4a6b907c59d7f272c4767a094

SHA512
875f50bfa05a0daaa9858aa2b3fe4191db6149beb4f8bdd1f576c524538d9b78d59415b4163df60dccc589aee15398c95f46ea885d4967406cc4c5a4751ae090

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
128KB

MD5
652c6b258d027e1c1d4a195c67c9227f

SHA1
e80728b6c91e2522fc02c97556080217871d54dd

SHA256
0755f138a4d1df51d7ba9bf310e2ed8847be3f52dc1c37f933cb34cbda79cc07

SHA512
19b2f44328b44557bb4d2396d35054cf655ca1cbaee0aa4625d3832134399cafa96da440c6c1f47c58721be82a495cdc7319d0f48fa16fe45aeeb54a9e80481f

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
128KB

MD5
0059f37d83863c6de9610a5c1a2b0f45

SHA1
e8e9cd03fdedae28883ebfa0a1c8166e45c00ce3

SHA256
ae732938c7579b7e7c8434d3f21780ea12c70f3983e80807b749eec2b0eac5e4

SHA512
030ce4b2f82ac853e0b7336fb1895d134bca896793d14baed407014e21b6b704ba4b51ea2eb5df7e4ffa265187f7fb61ed31a1b43318c8587c0fd3294540306b

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
128KB

MD5
2b869bee2ce6b94eb1502fecd15255e0

SHA1
9efc1e9b2e44cbf0532685d81cc1a6a1fad72172

SHA256
96acb383015639dec0911924929d9894d609f5694057e85a5f0f430c3c0ceae0

SHA512
9a756d8a10120ce14a4a1bc2966bc78daa1e61180450891729324d10cdf6b8fcb7d345201df89c81a6e4fea9a2ecc593fcff9d9a1f63098b6cbe877be87f9788

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
128KB

MD5
5be6b61236cc3b3abe33b10882c802a6

SHA1
40b7c5f17b7dbae07a9bace889490ddf3a95a44b

SHA256
29a7b9a704513a9183e87ac0da903db35ce3d230b768c2a0f1992f0f1c75b42e

SHA512
2afeac739d80a097968a25620c0c9d66bf5df42305ce521cfa1031558e425bdaea16cdbfdfddf4af460d49ff194b498f68915d1e84a6c23301fe36ae3f3c8276

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
128KB

MD5
68237f3365fad4c29168593bffc2bc81

SHA1
437d9491ae9419bd27597b9d3e442c18dbf64356

SHA256
427ce80ce200e31c756ff5b617fca22323a4bb3009948e82bd70bb36aa7dc7bb

SHA512
07caa6a6b2171d10eac9e545665594f4f004b406d2923ed2e1ce7f35e04aef19084a9c1816aa432abab4850d8947c1b0a7cf62ed73296ea449907956c960a824

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
128KB

MD5
3898f9f41bfaa3192feec6e1a8114cfc

SHA1
b40086583a057c08361960b8a88140155513ab05

SHA256
20c641c2fbe2a63e5bb80c364065da53a352581b449a05acb57618069f6dc020

SHA512
220f949086f16dbe764bfbdaea3f594e031cd8bcfd2879a307ebad3f9322c7909fee1674ec55aff02d3d815c21d2213d33e4c7d08c30a55165460aee1b6925a6

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
128KB

MD5
9386941d4d6c9a3f9b31961a15697f26

SHA1
ca1dc1951603995c0cdfa17bdc6f37e940bf2c0c

SHA256
f178184bfc3fb2f190d40c4e6f868f3ae816f1290077e1b76161cb042f21c93a

SHA512
287b8aec4e50de99ae5e1be8673a94c075f28d6b2104f5ec66e07781331cd4037db7254b5adcc6a6d942991f13581d0ab28eb2a7e0efb3407a6f2e46ae21b051

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
128KB

MD5
f3c1fc9e3570e849c912eaef83c3cc0d

SHA1
b87462e17412b79a2a3fcd34cfe27d3dc1982871

SHA256
bc54190462ebfcfb6123cbce0f5b77250dfe7f477d42dd80e96705f36858ec14

SHA512
c2d2f6976d0efa0e1f869818ea743e0efa6b154b573100868195eb1893ed613d01a25bfb1dcca4a6d08f928bcc85886b39ddb7dd92ad30bf457cd72f9d87bc00

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
128KB

MD5
9688b237813cdd0a59de82928f19ced8

SHA1
d486218fbd2887747062551b037b76cb297f7879

SHA256
efedc8688935c973e931123207dfb0205a7bff869d8862b4616e3264500ae3d5

SHA512
5d44097c1866577a959ccf555779107c89f4427bfac900d48174ad90253fd1e6734c97127ab677051b4397ebebb11e03c114404516bbe98d7084dbe2c0e4c236

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
128KB

MD5
6b1933e523b264a7a31be0c546b967e3

SHA1
8c35747e639d3bbcead03d13d138f7b2fac48bd1

SHA256
99bebfae93f143fbda2525bb7dbf5ee04cd799c21e593d7ad0e878f1261b6094

SHA512
ebbee0c4e5466fadcf23185ca8f393a5c827789e24337c638134d402f508b18a5617add7e4efc640c4a32ce80042333820947e479c316e7ddc88c57e1ca1593b

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
128KB

MD5
2d93e1cf713285cc29058cb85dd453e8

SHA1
32c1771a76617a5dba0c21729560705be153adc9

SHA256
a5620d2abb76b458dc91a69879e16d1a9ceab290a7ba72d41bdb2e0e82b43539

SHA512
f357a0ecec9fb54c2c1a2daaba5b9a99fc42dc322a96914c6a03e1738e75b15c8eb9cdf24e815f85f45628c72916a5944610d414b41f08459d22b62f6ca4e37d

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
128KB

MD5
8b1c8a38b5a346d6ff1443b17a04ef92

SHA1
53e9ef87e1042efde751b09f18cb55ab572348d3

SHA256
7cd29d2bce96802f1c763661beb04294db531680add7f3da57de15661126229d

SHA512
e98adc3d4b125ae39c28188557293e5f7543685049c42e546c57740930d38fc26a3f31d5ed345544707ef2990b06f9fe7aef8f73aa1fbdaa6e3a79865e5d90ea

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
128KB

MD5
00f5a93fe9fb7e0785d70c7bc7fc134b

SHA1
989e3b275c53f11c3abb46222bcb7d29d5c3d283

SHA256
cdc0598ef9e79d96a95c2d74bd9d51d0168bdb6595f1f089bc5d6731546fbaf7

SHA512
f3012f1718e0ef1cb531bc86b1fc707edc3bec3cdf908b0cedcbd264075a4d2fb430783a6c0cf020da43827f3d6bfc14520d50f09e45d142337d0bf4c083449d

Download Submit
memory/1472-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1472-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2420-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2420-113-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2536-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2536-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2664-106-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2664-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2824-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2824-114-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2876-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2876-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2904-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2904-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3136-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3136-105-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3492-109-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3492-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3496-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3496-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3564-115-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3564-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3852-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3852-118-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4204-110-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4204-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4448-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4448-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads