berbew | 1edc5806d73b411ca3c82323bb2dd201662137316472059a21bb33073e6a14d2

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TrojanDownloader.Win32.Berbew.exe
Size

63KB
MD5

2df3f404c8cfd6096d40c941b52c90f0
SHA1

661c1966dd0641b68e1e603333bf370fee22bbbe
SHA256

1edc5806d73b411ca3c82323bb2dd201662137316472059a21bb33073e6a14d2
SHA512

bb3416d02938d8dae8beb0cb8d95e3197e8e259b39641d365f9051bf24034381f2a3a85da4613e96b6eb80688c66b1114ccab8d15a49709a5c092d04789719ae
SSDEEP

1536:8b20S8/MNoPxtq2YG1Ks0wbZ+VoEn9rjDHE:8bXrMxG8stook9DHE

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	TrojanDownloader.Win32.Berbew.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	TrojanDownloader.Win32.Berbew.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 19 IoCs

pid	Process
4204	Chagok32.exe
4720	Cnkplejl.exe
3640	Cajlhqjp.exe
2008	Cdhhdlid.exe
3352	Cjbpaf32.exe
3016	Calhnpgn.exe
3312	Ddjejl32.exe
1212	Dfiafg32.exe
1080	Dmcibama.exe
3972	Ddmaok32.exe
3468	Dfknkg32.exe
3928	Daqbip32.exe
2680	Dodbbdbb.exe
4924	Daconoae.exe
4432	Dhmgki32.exe
4632	Dogogcpo.exe
3084	Deagdn32.exe
3508	Dgbdlf32.exe
3248	Dmllipeg.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	TrojanDownloader.Win32.Berbew.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	TrojanDownloader.Win32.Berbew.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	TrojanDownloader.Win32.Berbew.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2212	3248	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TrojanDownloader.Win32.Berbew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	TrojanDownloader.Win32.Berbew.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	TrojanDownloader.Win32.Berbew.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	TrojanDownloader.Win32.Berbew.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	TrojanDownloader.Win32.Berbew.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	TrojanDownloader.Win32.Berbew.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	TrojanDownloader.Win32.Berbew.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 4204	412	TrojanDownloader.Win32.Berbew.exe	82
PID 412 wrote to memory of 4204	412	TrojanDownloader.Win32.Berbew.exe	82
PID 412 wrote to memory of 4204	412	TrojanDownloader.Win32.Berbew.exe	82
PID 4204 wrote to memory of 4720	4204	Chagok32.exe	83
PID 4204 wrote to memory of 4720	4204	Chagok32.exe	83
PID 4204 wrote to memory of 4720	4204	Chagok32.exe	83
PID 4720 wrote to memory of 3640	4720	Cnkplejl.exe	84
PID 4720 wrote to memory of 3640	4720	Cnkplejl.exe	84
PID 4720 wrote to memory of 3640	4720	Cnkplejl.exe	84
PID 3640 wrote to memory of 2008	3640	Cajlhqjp.exe	85
PID 3640 wrote to memory of 2008	3640	Cajlhqjp.exe	85
PID 3640 wrote to memory of 2008	3640	Cajlhqjp.exe	85
PID 2008 wrote to memory of 3352	2008	Cdhhdlid.exe	86
PID 2008 wrote to memory of 3352	2008	Cdhhdlid.exe	86
PID 2008 wrote to memory of 3352	2008	Cdhhdlid.exe	86
PID 3352 wrote to memory of 3016	3352	Cjbpaf32.exe	87
PID 3352 wrote to memory of 3016	3352	Cjbpaf32.exe	87
PID 3352 wrote to memory of 3016	3352	Cjbpaf32.exe	87
PID 3016 wrote to memory of 3312	3016	Calhnpgn.exe	88
PID 3016 wrote to memory of 3312	3016	Calhnpgn.exe	88
PID 3016 wrote to memory of 3312	3016	Calhnpgn.exe	88
PID 3312 wrote to memory of 1212	3312	Ddjejl32.exe	89
PID 3312 wrote to memory of 1212	3312	Ddjejl32.exe	89
PID 3312 wrote to memory of 1212	3312	Ddjejl32.exe	89
PID 1212 wrote to memory of 1080	1212	Dfiafg32.exe	90
PID 1212 wrote to memory of 1080	1212	Dfiafg32.exe	90
PID 1212 wrote to memory of 1080	1212	Dfiafg32.exe	90
PID 1080 wrote to memory of 3972	1080	Dmcibama.exe	91
PID 1080 wrote to memory of 3972	1080	Dmcibama.exe	91
PID 1080 wrote to memory of 3972	1080	Dmcibama.exe	91
PID 3972 wrote to memory of 3468	3972	Ddmaok32.exe	92
PID 3972 wrote to memory of 3468	3972	Ddmaok32.exe	92
PID 3972 wrote to memory of 3468	3972	Ddmaok32.exe	92
PID 3468 wrote to memory of 3928	3468	Dfknkg32.exe	93
PID 3468 wrote to memory of 3928	3468	Dfknkg32.exe	93
PID 3468 wrote to memory of 3928	3468	Dfknkg32.exe	93
PID 3928 wrote to memory of 2680	3928	Daqbip32.exe	94
PID 3928 wrote to memory of 2680	3928	Daqbip32.exe	94
PID 3928 wrote to memory of 2680	3928	Daqbip32.exe	94
PID 2680 wrote to memory of 4924	2680	Dodbbdbb.exe	95
PID 2680 wrote to memory of 4924	2680	Dodbbdbb.exe	95
PID 2680 wrote to memory of 4924	2680	Dodbbdbb.exe	95
PID 4924 wrote to memory of 4432	4924	Daconoae.exe	96
PID 4924 wrote to memory of 4432	4924	Daconoae.exe	96
PID 4924 wrote to memory of 4432	4924	Daconoae.exe	96
PID 4432 wrote to memory of 4632	4432	Dhmgki32.exe	97
PID 4432 wrote to memory of 4632	4432	Dhmgki32.exe	97
PID 4432 wrote to memory of 4632	4432	Dhmgki32.exe	97
PID 4632 wrote to memory of 3084	4632	Dogogcpo.exe	98
PID 4632 wrote to memory of 3084	4632	Dogogcpo.exe	98
PID 4632 wrote to memory of 3084	4632	Dogogcpo.exe	98
PID 3084 wrote to memory of 3508	3084	Deagdn32.exe	99
PID 3084 wrote to memory of 3508	3084	Deagdn32.exe	99
PID 3084 wrote to memory of 3508	3084	Deagdn32.exe	99
PID 3508 wrote to memory of 3248	3508	Dgbdlf32.exe	100
PID 3508 wrote to memory of 3248	3508	Dgbdlf32.exe	100
PID 3508 wrote to memory of 3248	3508	Dgbdlf32.exe	100

C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe
"C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:412
- C:\Windows\SysWOW64\Chagok32.exe
  C:\Windows\system32\Chagok32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Windows\SysWOW64\Cnkplejl.exe
    C:\Windows\system32\Cnkplejl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Windows\SysWOW64\Cajlhqjp.exe
      C:\Windows\system32\Cajlhqjp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3640
    - - C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
      - C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 404
        21⤵
        Program crash
        
        PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3248 -ip 3248
1⤵
PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
63KB

MD5
d44893479a09800201e13683ab49c668

SHA1
041787542459f33bb71e3dd8a737d94898b2068e

SHA256
4342b29e27bf87773c898be39be9025b4498f6efbe674af56086b9497ac66d55

SHA512
59b9a9a0374c617504b1d54c32d04dce3f32035369cc0ef5594d08674bfa050f8b7a3ad4e0a51b0929880767250dd3271f0884eb92d9eeed8cd5279fd33e1be9

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
63KB

MD5
ffe322bb69635971964ed0f91edc697b

SHA1
c09b00a82bdf5259fad517260e67376bd328a360

SHA256
5fd0be34677095149cb4f32c0924256daffaf226df8c7548e984fe914e220f1d

SHA512
3ec961a3baf3f407367e840976c173bf761824ce5255325589f57f6e83739edfe9e4d0b3bc80726e8ae78143561addd9d0bab2adb61630fcce319eb36d5b8b32

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
63KB

MD5
153fea9702cc674e9c4bb329f7b2e7a0

SHA1
b2aba53f08b9306bb96676852c371f7247e03536

SHA256
e107b5323fb5aebab2148c09d20b818ec0f3dc9f39240e323e060e83558ece0a

SHA512
b82717bb6aeaa4d3ad371f0eeb5ec11e576d86be2a8d6d682a3760aa49c1c08c7212b6a2ce31d4cad7eb4d16c35bbbb267598b8f6c57d1afd35a7f8a9c44b764

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
63KB

MD5
e59496e4faa957688b425470c9a18dcb

SHA1
d798148c0cbeb4513e1660b7e326a8f0fa2648cf

SHA256
32c42a6ad78053c19ef29aeffd67292b9825d74b3ff2882923643b41bbed4cb9

SHA512
f37fdba4d3e959e683dea4222ae5ef371a9fa67ed6ae9be017bbf9eae0b90bb06d4260f248f8cf1359a5f0a872e2a38b011dac938a6f6227891e48b53c1a4665

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
63KB

MD5
59053cbd3d441ab41c51ca1750f3e821

SHA1
5720b3734f0d2cfc1aecb92976b7c9e8ae5f3742

SHA256
b932e9fa79bbb927450531fa84c4f5a3727004d4d480a4f3edcd420e1dfa1631

SHA512
8e00ba1eb93375f508040f21d7734e45470a68b87e1dae10a84b495f842dd3ff5fde247a1e4b1a71ce58fc6a1be22c79fd20cca83e7012054845069132d44594

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
63KB

MD5
3674b21c5f8ff5fe31301b2258629825

SHA1
e6924f6a1644198de6d6736f4fb1df0907921010

SHA256
d2d95cee9aaf127121298a14cdb9d44046512a3e03ec95a611d7aab82b883286

SHA512
ea281f49a252f7ed8372422bd2061f4d51d3d26e898f1108d9336f5b60207f9847a51a6ca759b39e3f0838294cbbdd35728b0f961f4e3758a78ec318d790dd39

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
63KB

MD5
5f09f121e4adab4742830fc5c4200536

SHA1
38ad1dc478e4fcd136ff7ec114c9fce42db02541

SHA256
cd53c7a2714ffdd1982296be4a5908a85bd2d84efbe3f49357bc7e69740fbcd2

SHA512
2f129620c6f73f4cc20f75e451c145282b0e54325747a53d486eeb62e2662ac5aad6aab4954a2db29245bde0706b88fe4fa6ad605be0e8086a5bd7b1fef77d4d

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
63KB

MD5
270d167b563b143c4a1b653021998df1

SHA1
cc216fda65a3d339328e5291f5786532394528e4

SHA256
2b7c233dd8fc4c5bfefb7382837c162202745c73aa16e7dbc138633b5b6d5116

SHA512
bb21fddcb1d3176ae900c3ab1eb62a5bf39ecebd081dcfe940a3a6dfcf385b30b9cacd23bff19894484f9d5fb3dbd8bec5c42c1339651ab286546c4011d19339

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
63KB

MD5
fb44304b7e07bd509bd6d62e5c775482

SHA1
12c8d33c6c728623a279865ce84aaeeda7da4aae

SHA256
a8a69c2d1a6a47b905d073f38654b7ffbcb9b7419e622a0e7b85f5b566f11885

SHA512
4ed97657df4faa2b7391821fb27e299dc99147d752ceab427ccdc4c044eaa5dcbeab4b9210d5551349019340fa8e6214d14750ab417c2366ada5814f8ca8a501

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
63KB

MD5
877ba0a545dced7ddc87de9616020229

SHA1
2f0e9b89fe9ff5c4d91ce589feba6f0918837aa0

SHA256
3789764d65fc4ae9a33781d5934f03c825e9f12be2009ff5cde344b496c1057c

SHA512
d42e5dd30551870565e9ab5811c200fd71b8250561b1fc6896b5b61aca2ed173aeff8b22eb33e43c31e7232a50897bcb64b59e698a33ef55c305156ade40aeb3

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
63KB

MD5
206f290d964263c4ec0fc934dafad9d8

SHA1
845478d39ea9e56c9fa252fcb7682f4576dfd84b

SHA256
0d3c3efa528498bb08bab53080d8d694ac7caee1e5e8009e91fbaf59c412b255

SHA512
cdbae3886ea841e3c2c1e69bbc4b4090f0cae5ea5634810ea2f6af10d8589b7302efa37ecfc43c3c0af885f38c00e23307210e0d3b396d6762d97c1b29b601e4

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
63KB

MD5
a9c21c879ecb36775076d0e86a532235

SHA1
9d0e07c13bf1a652368634cd006da8726b62c0cf

SHA256
d36284b94d11918824435049dbaa8b48ed98047808b0a5eaa434bb0422c6e67e

SHA512
4271ef7c5ab183bde8524a403a0275fa6eef1f1c6b991e80f5369a9cf4d516ee4e4dd0247fc1d209a5036ebb0c5d46e976e206f6642c92192c50b2ea4a4403ea

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
63KB

MD5
4eeb1b0f85c20317b1357a62ff7f7142

SHA1
ce3d1c2f8126f0d5801ca818da6bc95925a5f334

SHA256
e80790de69bce555a402caa7b21659eccd79162bd937f4c4976bff39fee34d1d

SHA512
07493daf66f191292c7e35e8bbd0ba84166d7157a531e914ca71cfa9e60c187390f67ba51c17ccff8b884ea831420daf64490f5cd2130c9acece4abf1221cb88

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
63KB

MD5
47b9f6684465c2c5896fc08733edcf79

SHA1
5e51090dcde2694110f350ffdf9fc7667b6b43d7

SHA256
630852f007d780314a0a318bb8ebf83b43186a90eab3351577d8844231833052

SHA512
068abdee5d34e4b30779569a76ccc693af611dbfaf39a5c640fee7de979f7a8a26f2230fb073cb55a8b032b3f175c6fd13d1524f5700e57fc123998054e86225

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
63KB

MD5
756baf83205f4927937c781a4fec461c

SHA1
59d7ac993801d5144bc7eac3014d9447f3716bd6

SHA256
03bb9e0f09ef3afee48df4fb295cb3267b41147f3a5b5b02d3f3911824941bad

SHA512
9b844fa661d2c0f3bace33fc6ea67dbe8ec6c92e7f6cff548383b00ab1e889bf2eb87cf7ea64e9bb90ff09f39e266b74844b1c301731c9134a21edb268f34a6b

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
63KB

MD5
3d49c1793894f70e0ba6a8d10060d9eb

SHA1
59bcb2190526d35ff9bb23b0271db5798dcb3345

SHA256
c6f2f213d8d7aed9db5f8455ea43611645c4acbe74e6be5f3c2e1d4d9d5adad4

SHA512
f4bfe0289318a25e8fb302a8964c45c9b4f3b5aef7b35c895db5d1aaf782d28a1f44d67cdd952992901245529e878e6d104b4ddc162d7f4b2e589ecfbbe642b5

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
63KB

MD5
13145add1620b30f8ef9e5948d07f58d

SHA1
040341535e507a61dd232dff09fa2ccd4b641f78

SHA256
5926c34927c0cf7af5a4a863d0b5f823e847241991f931dbd8f9f3ba0247134b

SHA512
3d6e8bd1815959ed06d653e9e0d1881672424412a652c81384b5f909b10b3c3e69fdd087b25c5cb97c15689eec8e3e14335e780e0ed092b0f5abee20b00aced7

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
63KB

MD5
88056d70c8920b43b933e01179fea6cb

SHA1
3ec53c3821834fb95500fbae9fdfe617b87dd862

SHA256
1c44fe2bb72fb4ff2e963db07637fb0632999e6e7ef9d63b377db5527cfcfe71

SHA512
e9a39973b0da534e1682e45eb96eaa4d36289c4bc4014497eab36ce7eb52c68bec9ff3fe8000c4e8fe576e0637f2098f3441a9f413655a3d6c303de12166aa2b

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
63KB

MD5
d88b1ba81b7e0933a91f56104e33407e

SHA1
c12e8c872a6446ab9f2d5291ba9d4f41ecdf7174

SHA256
61f579e26ba215e4f266ba5769035dab9d5825ebdf58c20057e5a8000ca012d1

SHA512
041317d4430a332487dd3c9db0fbd753fbadc30dc201a368d96dadc4b330f4d140452d8eb8f7bebe04029efdcbff06965844f46b9b87f2f4c4bddc21c01d82d6

Download Submit
memory/412-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/412-172-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1080-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1080-163-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1212-63-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1212-164-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2008-168-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2008-31-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2680-103-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2680-159-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3016-166-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3016-47-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3084-155-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3084-135-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3248-153-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3248-151-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3312-165-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3312-55-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3352-167-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3352-39-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3468-161-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3468-87-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3508-154-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3508-143-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3640-169-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3640-23-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3928-160-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3928-95-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3972-162-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3972-79-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4204-171-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4204-7-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4432-157-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4432-119-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4632-156-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4632-128-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4720-170-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4720-15-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4924-111-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4924-158-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads