berbew | 948c936ec068cb31bfc96159784d2799aae0a46a7a8d4f047cfffae0595f65ae

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

948c936ec068cb31bfc96159784d2799aae0a46a7a8d4f047cfffae0595f65aeN.exe
Size

232KB
MD5

d410e228f5c3decc42f498db4acc60b0
SHA1

1791a7ae32a3ef2cb990c96000057e008efa18f8
SHA256

948c936ec068cb31bfc96159784d2799aae0a46a7a8d4f047cfffae0595f65ae
SHA512

17dd5c3de073c8456f46b5ffa638c98f388c7c26177c74c31f1a185b89ce9ab7490824814609d88a5642af6e9139c608a6b12b9970ec335c6e2ab3e5a5ae12d3
SSDEEP

3072:rFKcMgu5HGYZq47usluTXp6UF5wzec+tZOnU1/s5HH0AU/yRvS3u121TzlbNRfz/:rkH4YZq46s21L7/s50z/Wa3/PNlPX

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ainmlomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahfgbkpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clfhml32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	948c936ec068cb31bfc96159784d2799aae0a46a7a8d4f047cfffae0595f65aeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	948c936ec068cb31bfc96159784d2799aae0a46a7a8d4f047cfffae0595f65aeN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgfkchmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmepanje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aiqjao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aiqjao32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjpmdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjpmdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgfkchmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ainmlomf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccnddg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahfgbkpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjiljf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbkgog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbkgog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccnddg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clfhml32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfnhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfnhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmepanje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjiljf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 12 IoCs

pid	Process
2156	Pfnhkq32.exe
2768	Pjpmdd32.exe
2776	Qgfkchmp.exe
2852	Qmepanje.exe
2644	Ainmlomf.exe
1052	Aiqjao32.exe
2400	Ahfgbkpl.exe
2052	Bjiljf32.exe
1696	Cbkgog32.exe
2020	Ccnddg32.exe
2892	Clfhml32.exe
2168	Coindgbi.exe

Loads dropped DLL 24 IoCs

pid	Process
2236	948c936ec068cb31bfc96159784d2799aae0a46a7a8d4f047cfffae0595f65aeN.exe
2236	948c936ec068cb31bfc96159784d2799aae0a46a7a8d4f047cfffae0595f65aeN.exe
2156	Pfnhkq32.exe
2156	Pfnhkq32.exe
2768	Pjpmdd32.exe
2768	Pjpmdd32.exe
2776	Qgfkchmp.exe
2776	Qgfkchmp.exe
2852	Qmepanje.exe
2852	Qmepanje.exe
2644	Ainmlomf.exe
2644	Ainmlomf.exe
1052	Aiqjao32.exe
1052	Aiqjao32.exe
2400	Ahfgbkpl.exe
2400	Ahfgbkpl.exe
2052	Bjiljf32.exe
2052	Bjiljf32.exe
1696	Cbkgog32.exe
1696	Cbkgog32.exe
2020	Ccnddg32.exe
2020	Ccnddg32.exe
2892	Clfhml32.exe
2892	Clfhml32.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pfnhkq32.exe	948c936ec068cb31bfc96159784d2799aae0a46a7a8d4f047cfffae0595f65aeN.exe
File opened for modification	C:\Windows\SysWOW64\Pjpmdd32.exe	Pfnhkq32.exe
File created	C:\Windows\SysWOW64\Qmepanje.exe	Qgfkchmp.exe
File created	C:\Windows\SysWOW64\Dafikqcd.dll	Aiqjao32.exe
File created	C:\Windows\SysWOW64\Coindgbi.exe	Clfhml32.exe
File created	C:\Windows\SysWOW64\Ahfgbkpl.exe	Aiqjao32.exe
File created	C:\Windows\SysWOW64\Bjiljf32.exe	Ahfgbkpl.exe
File created	C:\Windows\SysWOW64\Ccnddg32.exe	Cbkgog32.exe
File opened for modification	C:\Windows\SysWOW64\Ccnddg32.exe	Cbkgog32.exe
File created	C:\Windows\SysWOW64\Pjpmdd32.exe	Pfnhkq32.exe
File opened for modification	C:\Windows\SysWOW64\Qmepanje.exe	Qgfkchmp.exe
File created	C:\Windows\SysWOW64\Fgielf32.dll	Qgfkchmp.exe
File opened for modification	C:\Windows\SysWOW64\Ainmlomf.exe	Qmepanje.exe
File created	C:\Windows\SysWOW64\Pohoplja.dll	Qmepanje.exe
File created	C:\Windows\SysWOW64\Aiffeloi.dll	Pjpmdd32.exe
File created	C:\Windows\SysWOW64\Aiqjao32.exe	Ainmlomf.exe
File created	C:\Windows\SysWOW64\Kdgfnh32.dll	Ainmlomf.exe
File opened for modification	C:\Windows\SysWOW64\Ahfgbkpl.exe	Aiqjao32.exe
File opened for modification	C:\Windows\SysWOW64\Clfhml32.exe	Ccnddg32.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Clfhml32.exe
File created	C:\Windows\SysWOW64\Cbkgog32.exe	Bjiljf32.exe
File opened for modification	C:\Windows\SysWOW64\Cbkgog32.exe	Bjiljf32.exe
File created	C:\Windows\SysWOW64\Pfnhkq32.exe	948c936ec068cb31bfc96159784d2799aae0a46a7a8d4f047cfffae0595f65aeN.exe
File created	C:\Windows\SysWOW64\Jcfddmhe.dll	948c936ec068cb31bfc96159784d2799aae0a46a7a8d4f047cfffae0595f65aeN.exe
File created	C:\Windows\SysWOW64\Nohefjhb.dll	Pfnhkq32.exe
File created	C:\Windows\SysWOW64\Qgfkchmp.exe	Pjpmdd32.exe
File opened for modification	C:\Windows\SysWOW64\Qgfkchmp.exe	Pjpmdd32.exe
File created	C:\Windows\SysWOW64\Ainmlomf.exe	Qmepanje.exe
File opened for modification	C:\Windows\SysWOW64\Coindgbi.exe	Clfhml32.exe
File opened for modification	C:\Windows\SysWOW64\Aiqjao32.exe	Ainmlomf.exe
File created	C:\Windows\SysWOW64\Kipdmjne.dll	Ahfgbkpl.exe
File created	C:\Windows\SysWOW64\Hjlkkhne.dll	Ccnddg32.exe
File opened for modification	C:\Windows\SysWOW64\Bjiljf32.exe	Ahfgbkpl.exe
File created	C:\Windows\SysWOW64\Clfhml32.exe	Ccnddg32.exe
File created	C:\Windows\SysWOW64\Jlmhimhb.dll	Bjiljf32.exe
File created	C:\Windows\SysWOW64\Madcho32.dll	Cbkgog32.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbkgog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfnhkq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjpmdd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgfkchmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmepanje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aiqjao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccnddg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clfhml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	948c936ec068cb31bfc96159784d2799aae0a46a7a8d4f047cfffae0595f65aeN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ainmlomf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahfgbkpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjiljf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahfgbkpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	948c936ec068cb31bfc96159784d2799aae0a46a7a8d4f047cfffae0595f65aeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	948c936ec068cb31bfc96159784d2799aae0a46a7a8d4f047cfffae0595f65aeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiffeloi.dll"	Pjpmdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdgfnh32.dll"	Ainmlomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aiqjao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfnhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nohefjhb.dll"	Pfnhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgielf32.dll"	Qgfkchmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccnddg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Clfhml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	948c936ec068cb31bfc96159784d2799aae0a46a7a8d4f047cfffae0595f65aeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjpmdd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aiqjao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kipdmjne.dll"	Ahfgbkpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjiljf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccnddg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clfhml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmepanje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pohoplja.dll"	Qmepanje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dafikqcd.dll"	Aiqjao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahfgbkpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmhimhb.dll"	Bjiljf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbkgog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madcho32.dll"	Cbkgog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clfhml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	948c936ec068cb31bfc96159784d2799aae0a46a7a8d4f047cfffae0595f65aeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgfkchmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ainmlomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfnhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ainmlomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjiljf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbkgog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	948c936ec068cb31bfc96159784d2799aae0a46a7a8d4f047cfffae0595f65aeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgfkchmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmepanje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcfddmhe.dll"	948c936ec068cb31bfc96159784d2799aae0a46a7a8d4f047cfffae0595f65aeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjpmdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlkkhne.dll"	Ccnddg32.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2156	2236	948c936ec068cb31bfc96159784d2799aae0a46a7a8d4f047cfffae0595f65aeN.exe	30
PID 2236 wrote to memory of 2156	2236	948c936ec068cb31bfc96159784d2799aae0a46a7a8d4f047cfffae0595f65aeN.exe	30
PID 2236 wrote to memory of 2156	2236	948c936ec068cb31bfc96159784d2799aae0a46a7a8d4f047cfffae0595f65aeN.exe	30
PID 2236 wrote to memory of 2156	2236	948c936ec068cb31bfc96159784d2799aae0a46a7a8d4f047cfffae0595f65aeN.exe	30
PID 2156 wrote to memory of 2768	2156	Pfnhkq32.exe	31
PID 2156 wrote to memory of 2768	2156	Pfnhkq32.exe	31
PID 2156 wrote to memory of 2768	2156	Pfnhkq32.exe	31
PID 2156 wrote to memory of 2768	2156	Pfnhkq32.exe	31
PID 2768 wrote to memory of 2776	2768	Pjpmdd32.exe	32
PID 2768 wrote to memory of 2776	2768	Pjpmdd32.exe	32
PID 2768 wrote to memory of 2776	2768	Pjpmdd32.exe	32
PID 2768 wrote to memory of 2776	2768	Pjpmdd32.exe	32
PID 2776 wrote to memory of 2852	2776	Qgfkchmp.exe	33
PID 2776 wrote to memory of 2852	2776	Qgfkchmp.exe	33
PID 2776 wrote to memory of 2852	2776	Qgfkchmp.exe	33
PID 2776 wrote to memory of 2852	2776	Qgfkchmp.exe	33
PID 2852 wrote to memory of 2644	2852	Qmepanje.exe	34
PID 2852 wrote to memory of 2644	2852	Qmepanje.exe	34
PID 2852 wrote to memory of 2644	2852	Qmepanje.exe	34
PID 2852 wrote to memory of 2644	2852	Qmepanje.exe	34
PID 2644 wrote to memory of 1052	2644	Ainmlomf.exe	35
PID 2644 wrote to memory of 1052	2644	Ainmlomf.exe	35
PID 2644 wrote to memory of 1052	2644	Ainmlomf.exe	35
PID 2644 wrote to memory of 1052	2644	Ainmlomf.exe	35
PID 1052 wrote to memory of 2400	1052	Aiqjao32.exe	36
PID 1052 wrote to memory of 2400	1052	Aiqjao32.exe	36
PID 1052 wrote to memory of 2400	1052	Aiqjao32.exe	36
PID 1052 wrote to memory of 2400	1052	Aiqjao32.exe	36
PID 2400 wrote to memory of 2052	2400	Ahfgbkpl.exe	37
PID 2400 wrote to memory of 2052	2400	Ahfgbkpl.exe	37
PID 2400 wrote to memory of 2052	2400	Ahfgbkpl.exe	37
PID 2400 wrote to memory of 2052	2400	Ahfgbkpl.exe	37
PID 2052 wrote to memory of 1696	2052	Bjiljf32.exe	38
PID 2052 wrote to memory of 1696	2052	Bjiljf32.exe	38
PID 2052 wrote to memory of 1696	2052	Bjiljf32.exe	38
PID 2052 wrote to memory of 1696	2052	Bjiljf32.exe	38
PID 1696 wrote to memory of 2020	1696	Cbkgog32.exe	39
PID 1696 wrote to memory of 2020	1696	Cbkgog32.exe	39
PID 1696 wrote to memory of 2020	1696	Cbkgog32.exe	39
PID 1696 wrote to memory of 2020	1696	Cbkgog32.exe	39
PID 2020 wrote to memory of 2892	2020	Ccnddg32.exe	40
PID 2020 wrote to memory of 2892	2020	Ccnddg32.exe	40
PID 2020 wrote to memory of 2892	2020	Ccnddg32.exe	40
PID 2020 wrote to memory of 2892	2020	Ccnddg32.exe	40
PID 2892 wrote to memory of 2168	2892	Clfhml32.exe	41
PID 2892 wrote to memory of 2168	2892	Clfhml32.exe	41
PID 2892 wrote to memory of 2168	2892	Clfhml32.exe	41
PID 2892 wrote to memory of 2168	2892	Clfhml32.exe	41

C:\Users\Admin\AppData\Local\Temp\948c936ec068cb31bfc96159784d2799aae0a46a7a8d4f047cfffae0595f65aeN.exe
"C:\Users\Admin\AppData\Local\Temp\948c936ec068cb31bfc96159784d2799aae0a46a7a8d4f047cfffae0595f65aeN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\Pfnhkq32.exe
  C:\Windows\system32\Pfnhkq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\Pjpmdd32.exe
    C:\Windows\system32\Pjpmdd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\Qgfkchmp.exe
      C:\Windows\system32\Qgfkchmp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\Qmepanje.exe
        
        C:\Windows\system32\Qmepanje.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - C:\Windows\SysWOW64\Ainmlomf.exe
        
        C:\Windows\system32\Ainmlomf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Aiqjao32.exe
        
        C:\Windows\system32\Aiqjao32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Ahfgbkpl.exe
        
        C:\Windows\system32\Ahfgbkpl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Bjiljf32.exe
        
        C:\Windows\system32\Bjiljf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Cbkgog32.exe
        
        C:\Windows\system32\Cbkgog32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Ccnddg32.exe
        
        C:\Windows\system32\Ccnddg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Clfhml32.exe
        
        C:\Windows\system32\Clfhml32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aiqjao32.exe

Filesize
232KB

MD5
22271f902ca26716e31f852eb972fd80

SHA1
5328d71839a15d6e45954ac9b91c7b2b97aecd19

SHA256
b6e913f324f0abc9689447e073b558afa5520772df5fb1c5ab9a7cc11f35c1c3

SHA512
813edb51624d2111049c58b0ae21284fe33db07575cdbe86663e2dd50860d6695c76aca56a97593febfb80b254b1943b04ceb34d7cc0aa7dcc977deea8421668

Download Submit
\Windows\SysWOW64\Ahfgbkpl.exe

Filesize
232KB

MD5
42631b2bccdd2eefbcdee1b7e5c514e1

SHA1
b67e61c73540f4d9c74a57643ab93be990c9a417

SHA256
d7915ff0d3e59715baa6be5943b857fb5ceb0bf7d5be4541d208a2dc526f1546

SHA512
0b93308ea861fb66d1cc64f31fa7a821442292084a1f73c4849f5281f6ee098b11a6d5e1827da84207fcb5329dbdc0670e47ace21528be6f222521ae8a1ffdba

Download Submit
\Windows\SysWOW64\Ainmlomf.exe

Filesize
232KB

MD5
55ce06f0bde67997b1b64cd1aac1a543

SHA1
2ffa5c08e30913ec4552dbd1fe43d8b8999bbf92

SHA256
142c48406ee69fcc48e7ac122a94447f3621864ea194be26a037033ffb2255e8

SHA512
a2d2e360bfb7db6ba1471a5eda60b7b8657a3ab40c8d88330541952efec0a7c7efa4bab9618aa7f9640c3d00dc5f176b9dd716eb57be15cb92098a9ac9249a18

Download Submit
\Windows\SysWOW64\Bjiljf32.exe

Filesize
232KB

MD5
df48448295a5245ab22b7f82050441bd

SHA1
f74d32bc902a8be4dbbdc9e4ab0ab8c369e9d8f5

SHA256
88efaba31a72382f49d9279ced04666226980eadfbd77f9aad62176f92a1e120

SHA512
8414cefbbd18eaade1d2199de599d8bec5f6e88d6261b7e16af0e7bd9c5493fc7d431128e2f9a7ac03f93f57df07b598183cee4153bc1542e19262290543df62

Download Submit
\Windows\SysWOW64\Cbkgog32.exe

Filesize
232KB

MD5
8c821324727bc59175cdacccb0194909

SHA1
b62353d7c090453af8f07a01b9acb9d3fc9bd49e

SHA256
57ea2b0b89a966f7e2ed047adfe6b6b1569e7e68f92bdcc10c7f6bc0e122dc5b

SHA512
bc66dbcfb4f8883b65785bf34bec042271000e9831736c580c9258e866282c78b6f002cb4f3a9a32009342405ec4fa11f9e859789492c542fc321b02deb81b39

Download Submit
\Windows\SysWOW64\Ccnddg32.exe

Filesize
232KB

MD5
cf94fb6054c8e6def17cb8835a2fdd5b

SHA1
b8d29834e683fc10826be96526c5300b7d184944

SHA256
a12c2e1d83b905bfb54ca5033dbb89aa61a823a3ae4c1af1169c523ea1e8b721

SHA512
7c30a89902d5f2113b22ad402d19256ae15940751527dc7ef16ad54a1f90fa62eaebe85150b82e17578072026bd9ff1a1416326064609d2209466dc974c16ccc

Download Submit
\Windows\SysWOW64\Clfhml32.exe

Filesize
232KB

MD5
e373317355aa5a4eaf2b656844fcaf64

SHA1
b33c2ff46ba92c00896636883e1272f459c14f5d

SHA256
09a45908a4ec9d6194eb7aae74f496965396da3bb1ab0898527462db74370143

SHA512
fa14599a2e8a6102b9c9b10b4fd455297ddcac5355dde9c9c590140ef0cd1b54b67ff51ee4903a61fcc86a4598ac33f7790b03603f008250ed9adf4ef4651ae3

Download Submit
\Windows\SysWOW64\Coindgbi.exe

Filesize
232KB

MD5
59021a28f5fb37aa1f9002dc714c6d26

SHA1
47f84f7ee2c3053eac650f8bb8efbc44c5584be7

SHA256
932e577855e6e5758f13c1b90f1557c3af50a91eb3282dd9a01f95d0244381e4

SHA512
c8046055013a667e8951a0bdd9b710bd4140acbc09d1a96992bca1d65e3f9294411f2b03f0f2a6771841a2054c7dd566ec7026199836352c71d73736b7b8fb65

Download Submit
\Windows\SysWOW64\Pfnhkq32.exe

Filesize
232KB

MD5
7e4b5074ab6f6972681de4806127c925

SHA1
0cea718428432523101625a27c70267d3d0425ff

SHA256
73843273e43e09b8d0d8f75658c7d1e4548a3884164194c03101f80347c2f2ea

SHA512
fa1de247f4a02fbbea2ffe58e416335bbc719950dc0bdc204674080dbabb05be9562c0e62452352a767f0c73d59589b5d31df8666aca1ce360b9ee8d5ef9698f

Download Submit
\Windows\SysWOW64\Pjpmdd32.exe

Filesize
232KB

MD5
4dd9e59cd490b2e2069f49c9e6b8255f

SHA1
a51f18a1fd3a87aa666d9414eb99d5b4838cd86d

SHA256
2f6bd49d945f8483fb0e0f67ce264406e5b9787da2221fba6feec9fe352383af

SHA512
99c7b044834e4062158c391ff0acb6d1aec5cf2f2028db707ad829a13c2d2602b76e5bb795e154565baf8f90790a8efb2676479558e4d19a5b858372e81401f6

Download Submit
\Windows\SysWOW64\Qgfkchmp.exe

Filesize
232KB

MD5
ad142126f73b061bb0085de06ef115c6

SHA1
7ef650d8ba513e5eecf6fadb67a31a2e290e6128

SHA256
aafd85fb430b2c00a5fde9c97749bc34381ff09380410b956af08cb61a1cd5d8

SHA512
b989580b01c7cf4f0376bc5b5365f6f00c412142651d754a2ed666926c3b41e4065ff956e3b4ba242e9a317f0bc74075be4a727eedecccdb6e6489d996839370

Download Submit
\Windows\SysWOW64\Qmepanje.exe

Filesize
232KB

MD5
7cb913506bd18e97fae22c4911aaa6a7

SHA1
2bf85b88ac1fc5c095a37c6be2b63b4f5a3d9587

SHA256
ae5be8463d9a961085b357d0d3c24558ee09ea10314c8c727f9999f5e4f1a4aa

SHA512
045fac77fdd20bd894d8e6ed101f256e0e2cad4d265b7a4770622385ddd76bcc9dae7a278bebbf9bbb461b5d87e857ab2c734ea678e684891d0a8ee9fba2afdb

Download Submit
memory/1052-171-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1052-90-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1052-83-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1696-136-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1696-174-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-145-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2020-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2052-110-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2052-173-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2052-118-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2156-26-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/2156-25-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/2156-166-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-177-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2236-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2236-7-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download
memory/2236-165-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2236-12-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download
memory/2400-172-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2400-108-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2644-81-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2644-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2644-170-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2768-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2768-35-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2768-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2776-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2776-42-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2852-169-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2852-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2852-63-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/2892-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2892-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads