berbew | 7d61e3fc449475cbf23ed4947b5ccabf47d44712455efbdf2ae059298ec65dbe

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d61e3fc449475cbf23ed4947b5ccabf47d44712455efbdf2ae059298ec65dbe.exe
Size

96KB
MD5

d65c7daa569ff2d11b5125f9916cf13e
SHA1

d424103cb6ed94272876428c65500123ac04c085
SHA256

7d61e3fc449475cbf23ed4947b5ccabf47d44712455efbdf2ae059298ec65dbe
SHA512

f07feb19e0278d8de11c63e4515c9746f64d50364c07fea069f6b7fdecd429da5bfed39485de80eba95a7580e9ec1a36f34a32224dffb68905681379c0ba4c10
SSDEEP

1536:TWlVUgk1mk1JFSTAVEerI0q6VUaiYFsX6IaG6duV9jojTIvjr:TW/Ugk4jxerySUa7KqIP6d69jc0v

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7d61e3fc449475cbf23ed4947b5ccabf47d44712455efbdf2ae059298ec65dbe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	7d61e3fc449475cbf23ed4947b5ccabf47d44712455efbdf2ae059298ec65dbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnpciaef.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 9 IoCs

pid	Process
2784	Cagienkb.exe
2900	Cinafkkd.exe
2592	Ckmnbg32.exe
2564	Cjonncab.exe
2620	Clojhf32.exe
2912	Calcpm32.exe
2424	Ccjoli32.exe
1676	Dnpciaef.exe
2960	Dpapaj32.exe

Loads dropped DLL 21 IoCs

pid	Process
2676	7d61e3fc449475cbf23ed4947b5ccabf47d44712455efbdf2ae059298ec65dbe.exe
2676	7d61e3fc449475cbf23ed4947b5ccabf47d44712455efbdf2ae059298ec65dbe.exe
2784	Cagienkb.exe
2784	Cagienkb.exe
2900	Cinafkkd.exe
2900	Cinafkkd.exe
2592	Ckmnbg32.exe
2592	Ckmnbg32.exe
2564	Cjonncab.exe
2564	Cjonncab.exe
2620	Clojhf32.exe
2620	Clojhf32.exe
2912	Calcpm32.exe
2912	Calcpm32.exe
2424	Ccjoli32.exe
2424	Ccjoli32.exe
1676	Dnpciaef.exe
1676	Dnpciaef.exe
2752	WerFault.exe
2752	WerFault.exe
2752	WerFault.exe

Drops file in System32 directory 29 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Cjonncab.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	7d61e3fc449475cbf23ed4947b5ccabf47d44712455efbdf2ae059298ec65dbe.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Oeopijom.dll	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Calcpm32.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	7d61e3fc449475cbf23ed4947b5ccabf47d44712455efbdf2ae059298ec65dbe.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	7d61e3fc449475cbf23ed4947b5ccabf47d44712455efbdf2ae059298ec65dbe.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2752	2960	WerFault.exe	39

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d61e3fc449475cbf23ed4947b5ccabf47d44712455efbdf2ae059298ec65dbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	7d61e3fc449475cbf23ed4947b5ccabf47d44712455efbdf2ae059298ec65dbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	7d61e3fc449475cbf23ed4947b5ccabf47d44712455efbdf2ae059298ec65dbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	7d61e3fc449475cbf23ed4947b5ccabf47d44712455efbdf2ae059298ec65dbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	7d61e3fc449475cbf23ed4947b5ccabf47d44712455efbdf2ae059298ec65dbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	7d61e3fc449475cbf23ed4947b5ccabf47d44712455efbdf2ae059298ec65dbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	7d61e3fc449475cbf23ed4947b5ccabf47d44712455efbdf2ae059298ec65dbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnpciaef.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2784	2676	7d61e3fc449475cbf23ed4947b5ccabf47d44712455efbdf2ae059298ec65dbe.exe	31
PID 2676 wrote to memory of 2784	2676	7d61e3fc449475cbf23ed4947b5ccabf47d44712455efbdf2ae059298ec65dbe.exe	31
PID 2676 wrote to memory of 2784	2676	7d61e3fc449475cbf23ed4947b5ccabf47d44712455efbdf2ae059298ec65dbe.exe	31
PID 2676 wrote to memory of 2784	2676	7d61e3fc449475cbf23ed4947b5ccabf47d44712455efbdf2ae059298ec65dbe.exe	31
PID 2784 wrote to memory of 2900	2784	Cagienkb.exe	32
PID 2784 wrote to memory of 2900	2784	Cagienkb.exe	32
PID 2784 wrote to memory of 2900	2784	Cagienkb.exe	32
PID 2784 wrote to memory of 2900	2784	Cagienkb.exe	32
PID 2900 wrote to memory of 2592	2900	Cinafkkd.exe	33
PID 2900 wrote to memory of 2592	2900	Cinafkkd.exe	33
PID 2900 wrote to memory of 2592	2900	Cinafkkd.exe	33
PID 2900 wrote to memory of 2592	2900	Cinafkkd.exe	33
PID 2592 wrote to memory of 2564	2592	Ckmnbg32.exe	34
PID 2592 wrote to memory of 2564	2592	Ckmnbg32.exe	34
PID 2592 wrote to memory of 2564	2592	Ckmnbg32.exe	34
PID 2592 wrote to memory of 2564	2592	Ckmnbg32.exe	34
PID 2564 wrote to memory of 2620	2564	Cjonncab.exe	35
PID 2564 wrote to memory of 2620	2564	Cjonncab.exe	35
PID 2564 wrote to memory of 2620	2564	Cjonncab.exe	35
PID 2564 wrote to memory of 2620	2564	Cjonncab.exe	35
PID 2620 wrote to memory of 2912	2620	Clojhf32.exe	36
PID 2620 wrote to memory of 2912	2620	Clojhf32.exe	36
PID 2620 wrote to memory of 2912	2620	Clojhf32.exe	36
PID 2620 wrote to memory of 2912	2620	Clojhf32.exe	36
PID 2912 wrote to memory of 2424	2912	Calcpm32.exe	37
PID 2912 wrote to memory of 2424	2912	Calcpm32.exe	37
PID 2912 wrote to memory of 2424	2912	Calcpm32.exe	37
PID 2912 wrote to memory of 2424	2912	Calcpm32.exe	37
PID 2424 wrote to memory of 1676	2424	Ccjoli32.exe	38
PID 2424 wrote to memory of 1676	2424	Ccjoli32.exe	38
PID 2424 wrote to memory of 1676	2424	Ccjoli32.exe	38
PID 2424 wrote to memory of 1676	2424	Ccjoli32.exe	38
PID 1676 wrote to memory of 2960	1676	Dnpciaef.exe	39
PID 1676 wrote to memory of 2960	1676	Dnpciaef.exe	39
PID 1676 wrote to memory of 2960	1676	Dnpciaef.exe	39
PID 1676 wrote to memory of 2960	1676	Dnpciaef.exe	39
PID 2960 wrote to memory of 2752	2960	Dpapaj32.exe	40
PID 2960 wrote to memory of 2752	2960	Dpapaj32.exe	40
PID 2960 wrote to memory of 2752	2960	Dpapaj32.exe	40
PID 2960 wrote to memory of 2752	2960	Dpapaj32.exe	40

C:\Users\Admin\AppData\Local\Temp\7d61e3fc449475cbf23ed4947b5ccabf47d44712455efbdf2ae059298ec65dbe.exe
"C:\Users\Admin\AppData\Local\Temp\7d61e3fc449475cbf23ed4947b5ccabf47d44712455efbdf2ae059298ec65dbe.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\Cagienkb.exe
  C:\Windows\system32\Cagienkb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\Cinafkkd.exe
    C:\Windows\system32\Cinafkkd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\SysWOW64\Ckmnbg32.exe
      C:\Windows\system32\Ckmnbg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
      - C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 144
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
96KB

MD5
d448f6d9d78c7650d0da7d8453352a63

SHA1
151de8064675a562445f45358861a3a07b6ce9d7

SHA256
0ce794530337016c3ca1323ebae366a457a52eae40f3e56d4ebfe7f633175860

SHA512
c393dcca68faa847694a6ac54fde2a1dbb3278340a37602656b85aff48ee8d9ea977b11f966396a063b184443d3502cc245c4b3b05329ed69b3fc64543f6e9e9

Download Submit
C:\Windows\SysWOW64\Efeckm32.dll

Filesize
7KB

MD5
c2ea1017d4ae188e75334d1ad0c50065

SHA1
4d56e8ff965e610b47b21eadcf3849bbf93e1c90

SHA256
b652f620b1acfdac46181f98152797c5622b33b44a91291ea2d00449205162ae

SHA512
6815451459fcdcf44677a5b6451400d309338651d325a4abff058f6fce38353bc400386b912f8aafd353ccbfd5578ed06cc606081c603747999a06b899c984af

Download Submit
\Windows\SysWOW64\Cagienkb.exe

Filesize
96KB

MD5
026b1f29de66e5d0ef5bfa32185f24a5

SHA1
3af60836f434fc68950520af0a441a6c7b9c1dd4

SHA256
f7ad93c865abdcb694225193e6d9828e570cf272fff558352413942230a7c383

SHA512
bc5d8fd28ab325505654ac2facc497fe25e2c1c8eac0c54a3af0090d3e9f26a0fac4a889ce004f0221dd022dc89d0f9c56c9fb36e334f03f3c88e1f4e53179db

Download Submit
\Windows\SysWOW64\Calcpm32.exe

Filesize
96KB

MD5
ac527d25df5b01e254212b648a5dbfb3

SHA1
a9432596c2d204fe405953acd8dc855fa2943167

SHA256
ab851798bc8b25d32d8e037a140f8de49859d2baad5954c24896fe9008cb5548

SHA512
fb665ea477581fe251b3b6895bd278dacd533af6c182a55bd82bc03159edd46f76d3d073a711fdac3491db4fc0ee321bc64104b900dc03fa511283ea2507136e

Download Submit
\Windows\SysWOW64\Ccjoli32.exe

Filesize
96KB

MD5
6c4fbd369d278ff52e717f3f24dd8d21

SHA1
7ce81c1ed3679fc0c57a35848262ca2a52e42e1a

SHA256
3e86e66959bb680b5134e606d45113f7313c8ad47211c6b759a4af9fcb984f8a

SHA512
5c234d5148f7edce183b8e218ba3dd410463f1817ce31c81c07c9591553fbd15394e54baad421320f18365fb9232b3ff55ad1b697b63610c0f2d3dc3e46ecf46

Download Submit
\Windows\SysWOW64\Cinafkkd.exe

Filesize
96KB

MD5
6fd1c939d98264fb0a273a6e148129db

SHA1
4b6010ce8fcd4fc175bf14556523e3b0f59e9e98

SHA256
c4f808d63aee9c0ce668b31dfbb249f5f75bbe7c932c823ff3183734bf70657e

SHA512
f5b5bae293a166fdfbf0048d97a542f9cf7a427d6b0609e18c6454d9cd8804aa8194a22dd35c403c3b9db7717b13c42b06ede481576fdedf9f6dfd72f9cd5ea0

Download Submit
\Windows\SysWOW64\Cjonncab.exe

Filesize
96KB

MD5
583e4e9091120e23a1838a38923c5840

SHA1
e1de0db0c940263871e203d390abcb071c507242

SHA256
b508e028375e0796d383badd4dec865b761f3311d4de311a5cf0fcb1f856a0f7

SHA512
c0750a235a86369b0d554021ab52979870d351716c8785b8d752a3daaed9c0a78c9dec7212b8245bbed9c2cb3578bd66a3b22f218b115a160b2906a5619b9f89

Download Submit
\Windows\SysWOW64\Clojhf32.exe

Filesize
96KB

MD5
6815da195ce194bb4110783bf3e4f153

SHA1
cfd962a2f339b4fdf0a823c459da9f5728261e24

SHA256
c480fefae3216be3ee5b37e885ec460245ce3ab2968c11bd1cebe596023aa7a7

SHA512
4b6a939dca58beb229102b6c07905faeb556a350f2150de2955a8a4f5b03f61a101b822a7a6d82ed32af6114f53ee5817abf15da65e7c65b5b64e285d3a72a64

Download Submit
\Windows\SysWOW64\Dnpciaef.exe

Filesize
96KB

MD5
9862d4c8e6d0339878072f9bf6db27fa

SHA1
17f71bac4d49a19927ae204a17660453da4c0409

SHA256
b021a78058f31a670e9a23aef208767c41a02d2222ce8c254567f5ecfa59db25

SHA512
3c9fefb55ae3f19b6ec8f493381b8c969b138fad1f3fb514eb749f755faf3b4b5eba36aff6f613dfdcdc963bea9bb204d07a89b5e3d15ba717ab3c4a98d6f184

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
d170ea7820fabf3f065e7cab2437332b

SHA1
f1e422c1145baaf8441c592608e62235f57c2ec9

SHA256
a05d6ded3eb8cbba1342675f90fdef72e6f0460659f5b1577f0789c9e26386a6

SHA512
bb3bcdbb64bd98c179ed415d105b858e0128493f743554567e56dd97cb2b76d7498d87ac774c6fdaf08c261c8d481a5adcae01a40292eeb9808403d7a3e99ca7

Download Submit
memory/1676-108-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1676-121-0x00000000002A0000-0x00000000002E2000-memory.dmp

Filesize
264KB

Download
memory/1676-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2424-94-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2424-134-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2424-106-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2564-131-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2592-48-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/2592-54-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/2592-45-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2620-75-0x0000000000320000-0x0000000000362000-memory.dmp

Filesize
264KB

Download
memory/2620-67-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2620-132-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2676-13-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2676-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2676-129-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2676-12-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2784-14-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2784-130-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2900-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2912-133-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2912-85-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2960-122-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2960-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads