berbew | a131e9dcf53932afc6d526d3c7bfc0f79cd8e80134109e7679d67f420283bd3f

Analysis

max time kernel
94s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a131e9dcf53932afc6d526d3c7bfc0f79cd8e80134109e7679d67f420283bd3f.exe
Size

96KB
MD5

e78e0b9f04af650e7668fa65556e906d
SHA1

4f4359bbe72e181621ddf4ee59b63b1229aa1650
SHA256

a131e9dcf53932afc6d526d3c7bfc0f79cd8e80134109e7679d67f420283bd3f
SHA512

01115116673b45b69c0b30727dc7e2dd44ecfa78c8483f66e009cfe335279f3d4632d886c316858fbe17088525223f6606aca41b942a7546e53d9f462557dd28
SSDEEP

1536:Q/XyVgAF2Q6nQn3HmkPGAmfTniHrUlaT49NVv22LposBMu/HCmiDcg3MZRP3cEWh:QqVgA76Qn3HXuAJHrUIqvbpoa6miEo

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a131e9dcf53932afc6d526d3c7bfc0f79cd8e80134109e7679d67f420283bd3f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a131e9dcf53932afc6d526d3c7bfc0f79cd8e80134109e7679d67f420283bd3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 10 IoCs

pid	Process
1744	Dmgbnq32.exe
116	Deokon32.exe
964	Dhmgki32.exe
4144	Dfpgffpm.exe
1892	Dogogcpo.exe
3620	Daekdooc.exe
3732	Dddhpjof.exe
5036	Dgbdlf32.exe
4588	Doilmc32.exe
4544	Dmllipeg.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	a131e9dcf53932afc6d526d3c7bfc0f79cd8e80134109e7679d67f420283bd3f.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	a131e9dcf53932afc6d526d3c7bfc0f79cd8e80134109e7679d67f420283bd3f.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	a131e9dcf53932afc6d526d3c7bfc0f79cd8e80134109e7679d67f420283bd3f.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3048	4544	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a131e9dcf53932afc6d526d3c7bfc0f79cd8e80134109e7679d67f420283bd3f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a131e9dcf53932afc6d526d3c7bfc0f79cd8e80134109e7679d67f420283bd3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a131e9dcf53932afc6d526d3c7bfc0f79cd8e80134109e7679d67f420283bd3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a131e9dcf53932afc6d526d3c7bfc0f79cd8e80134109e7679d67f420283bd3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	a131e9dcf53932afc6d526d3c7bfc0f79cd8e80134109e7679d67f420283bd3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a131e9dcf53932afc6d526d3c7bfc0f79cd8e80134109e7679d67f420283bd3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a131e9dcf53932afc6d526d3c7bfc0f79cd8e80134109e7679d67f420283bd3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 1744	216	a131e9dcf53932afc6d526d3c7bfc0f79cd8e80134109e7679d67f420283bd3f.exe	82
PID 216 wrote to memory of 1744	216	a131e9dcf53932afc6d526d3c7bfc0f79cd8e80134109e7679d67f420283bd3f.exe	82
PID 216 wrote to memory of 1744	216	a131e9dcf53932afc6d526d3c7bfc0f79cd8e80134109e7679d67f420283bd3f.exe	82
PID 1744 wrote to memory of 116	1744	Dmgbnq32.exe	83
PID 1744 wrote to memory of 116	1744	Dmgbnq32.exe	83
PID 1744 wrote to memory of 116	1744	Dmgbnq32.exe	83
PID 116 wrote to memory of 964	116	Deokon32.exe	84
PID 116 wrote to memory of 964	116	Deokon32.exe	84
PID 116 wrote to memory of 964	116	Deokon32.exe	84
PID 964 wrote to memory of 4144	964	Dhmgki32.exe	85
PID 964 wrote to memory of 4144	964	Dhmgki32.exe	85
PID 964 wrote to memory of 4144	964	Dhmgki32.exe	85
PID 4144 wrote to memory of 1892	4144	Dfpgffpm.exe	86
PID 4144 wrote to memory of 1892	4144	Dfpgffpm.exe	86
PID 4144 wrote to memory of 1892	4144	Dfpgffpm.exe	86
PID 1892 wrote to memory of 3620	1892	Dogogcpo.exe	87
PID 1892 wrote to memory of 3620	1892	Dogogcpo.exe	87
PID 1892 wrote to memory of 3620	1892	Dogogcpo.exe	87
PID 3620 wrote to memory of 3732	3620	Daekdooc.exe	88
PID 3620 wrote to memory of 3732	3620	Daekdooc.exe	88
PID 3620 wrote to memory of 3732	3620	Daekdooc.exe	88
PID 3732 wrote to memory of 5036	3732	Dddhpjof.exe	89
PID 3732 wrote to memory of 5036	3732	Dddhpjof.exe	89
PID 3732 wrote to memory of 5036	3732	Dddhpjof.exe	89
PID 5036 wrote to memory of 4588	5036	Dgbdlf32.exe	90
PID 5036 wrote to memory of 4588	5036	Dgbdlf32.exe	90
PID 5036 wrote to memory of 4588	5036	Dgbdlf32.exe	90
PID 4588 wrote to memory of 4544	4588	Doilmc32.exe	91
PID 4588 wrote to memory of 4544	4588	Doilmc32.exe	91
PID 4588 wrote to memory of 4544	4588	Doilmc32.exe	91

C:\Users\Admin\AppData\Local\Temp\a131e9dcf53932afc6d526d3c7bfc0f79cd8e80134109e7679d67f420283bd3f.exe
"C:\Users\Admin\AppData\Local\Temp\a131e9dcf53932afc6d526d3c7bfc0f79cd8e80134109e7679d67f420283bd3f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:216
- C:\Windows\SysWOW64\Dmgbnq32.exe
  C:\Windows\system32\Dmgbnq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\Deokon32.exe
    C:\Windows\system32\Deokon32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Windows\SysWOW64\Dhmgki32.exe
      C:\Windows\system32\Dhmgki32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:964
    - - C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4144
      - C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 396
        12⤵
        Program crash
        
        PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4544 -ip 4544
1⤵
PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daekdooc.exe

Filesize
96KB

MD5
0a3312ab1c00fd381dcfaed1b15d0108

SHA1
45162926ac17456a4b5b70f3b4cb5d8e0f2bb5e4

SHA256
15713f0c1bee2bbba270b1c7437267b7202c82190b7e49e43bb26a272c5d3dad

SHA512
bcc54a0e7cb549af6b2f87a1212e85ee3b2e996fe8516e52bb35eb362c6457e8d78ed42adeeba5a221ee3ad1142ea2e0931d5b0539dbbbdbbc5f985fac8e4808

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
96KB

MD5
c72a63cc4a3dc42ac20cab20f5b2918c

SHA1
bc920a3a04d8bf323528bf363655a313a4abaf51

SHA256
e4ea22f253b35e6fbe1af3e7050f4f4609492ee6060603e5dd8e73441550ef71

SHA512
3a6edfd4ab144a6aad72623cc046dabb38a5116e2020aa107aec4a8499e60fe89950e47c2e07a90be55ee1200a94c4ef354fd6d58bc03df4318f05a52b04d9b3

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
96KB

MD5
62d05e84931fe646abfb06d1fa706d07

SHA1
c0993b15d41dd425fa7fd570703d77ac643c4a48

SHA256
2185b1f593f56ff57cbb30c3f8db0182f9479983cfcd735fc3219c4aa090b45c

SHA512
e9f6a4cddfeb2a5a20359fa93134581486bea7685e1c7ec81d358c48282e850db389c9dd2fb1fa4e138db8d4dbd18d7b25f9fd49e729625859e45eec1afcd0cd

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
96KB

MD5
acd42e1e11297fc03db0ee7e77baea6e

SHA1
b23af6231120a3543510af664ecde93e20cc8c22

SHA256
2b31a4a1fa29d56935a609aa61b66a9b55e5b1775854e52b58f44c20e5b2c629

SHA512
bca7f397fd7263ae31c3ac42eba7d52569c93a654699f46aa49a9ee07635ad819f01a67b14fa3e9450cb7f28db2e6b0c59eceb23fe75fb0d40787efbde3e5160

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
96KB

MD5
eabf80506596ebe249b4776da712bebc

SHA1
4420b44f37de55338f261397538abfce5e22cd9d

SHA256
027d5e129a1ac26bd29e4960b10681c72a6be52e3ebdc159a88654e53e520113

SHA512
27ba14bed0b09ebb243a89f5b4a27d1d758fb4ad3ed3411d3b0063811f359e3d1e829714bbd09b477932947ede3e6896f4c7fc296067663a062c29b9ee018a01

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
96KB

MD5
40fdcd9ca415064a073c0fa7aa5bed1d

SHA1
b862f9442c61ade224073579d814aa46f40cc302

SHA256
393cb134062c5bc3621db467e16716e6c75787567adf8085fa0b3a6a2cf55a31

SHA512
8f7895dd19fbe91c9bd14fb84e165d2845a7f1d22a20334f8f91e8f86aa2fe8f3777f2b1c36b13ef2b1b81aff6102eb843be767498dc88030b3599a9919f97a1

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
96KB

MD5
afd1dc785d6d8e8331aa642c8e5c0fd7

SHA1
c27a8133a138178ba01f67e86aacfcc33eda9bd0

SHA256
23a541377c457a3595d611def293c32d991d2ab9d6ec729425f9a80e4d3f87d0

SHA512
8aecce182a191d3035df117ac176a05aba0af445a59af626c0ae363057bcbf1ca73533b5ee06d9009153c0fb19c9bf1bf4130dfee994d9436fabaa92e9d1a5c3

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
559262f3d952cefb984603a0ebc6ccf0

SHA1
ea250c3e652b227c4035cd9ed28235815b9e91ca

SHA256
043628a99a1fde96aadd60619e078490765a08264b01c9aa691677476df8ae93

SHA512
389ef250a0b59981365d6c1cfb1463e669d7637522e9ef60cb78a8edd34de886019fd327936fb073d4b63b9298f4a62c8b82f02b2b3fb12d1497d377dfad5a8d

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
96KB

MD5
d9612583c9cf4a87364ca0fa0e1ebe9a

SHA1
067eb143e156ccc3129cae8768d75ff433ffdf28

SHA256
4aada9151cb58dd149066a52d6979df56e3fefc80010c1967e658a9ac6e58e50

SHA512
5d4c007d85ed7b1f12abe09c537552cbace023f11123f72a659ca62d3df1ca0ef97069fd8518a6e1ef7b444926e2b96b249f613c954bbf98af51bc9e2c8374f3

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
96KB

MD5
9c1409d2c1a51030d3103e1c934fee63

SHA1
d4a2fbebe0e5ad27407801a81e154fc05804c533

SHA256
956d67f8175cf1401ce6f1429faff05f59d661b79a279384c1c4998ef40b100e

SHA512
c37440594248713a2db18f390cc14c9a3843d1c7bfbf9d1b641bb264c43416072d5ddf6964cdaa5f5930f2b649ccb84d5b92d7139d1ca78aad6f190238e66fdb

Download Submit
memory/116-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/116-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/216-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/216-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/216-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/964-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-91-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3732-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3732-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads