berbew | 24685bba67414f7635356816fab95b1ffafc26a7de64497d95a6ff1fc9af51cd

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24685bba67414f7635356816fab95b1ffafc26a7de64497d95a6ff1fc9af51cd.exe
Size

176KB
MD5

f2068ca9aac75a672fab3fc52ce59cd0
SHA1

b0ce5c72167b27be76259c464ef23bde63facb87
SHA256

24685bba67414f7635356816fab95b1ffafc26a7de64497d95a6ff1fc9af51cd
SHA512

3cf7b7d0c4b687df57707080241a82874b60c3df94907e7e77e8c32bf659212fe12448fde8111292924ebb8a9b8be364e1544a6167722f46bb6519b2b3eeafda
SSDEEP

3072:oZxxuA5CQpeM9VjIevEy032yaCMMq9FIUPv9XOVw1FaX6lwzmOJfYerMMq9FIUvi:ovx35CQpeM9VjDvE4f9FIUpOVw86CmOt

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	24685bba67414f7635356816fab95b1ffafc26a7de64497d95a6ff1fc9af51cd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	24685bba67414f7635356816fab95b1ffafc26a7de64497d95a6ff1fc9af51cd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 11 IoCs

pid	Process
1804	Deokon32.exe
116	Dhmgki32.exe
964	Dfpgffpm.exe
4144	Dogogcpo.exe
1892	Dmjocp32.exe
5024	Daekdooc.exe
4708	Dddhpjof.exe
2856	Dhocqigp.exe
1104	Dgbdlf32.exe
2148	Doilmc32.exe
3676	Dmllipeg.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	24685bba67414f7635356816fab95b1ffafc26a7de64497d95a6ff1fc9af51cd.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	24685bba67414f7635356816fab95b1ffafc26a7de64497d95a6ff1fc9af51cd.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	24685bba67414f7635356816fab95b1ffafc26a7de64497d95a6ff1fc9af51cd.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2712	3676	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24685bba67414f7635356816fab95b1ffafc26a7de64497d95a6ff1fc9af51cd.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	24685bba67414f7635356816fab95b1ffafc26a7de64497d95a6ff1fc9af51cd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	24685bba67414f7635356816fab95b1ffafc26a7de64497d95a6ff1fc9af51cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	24685bba67414f7635356816fab95b1ffafc26a7de64497d95a6ff1fc9af51cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	24685bba67414f7635356816fab95b1ffafc26a7de64497d95a6ff1fc9af51cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	24685bba67414f7635356816fab95b1ffafc26a7de64497d95a6ff1fc9af51cd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	24685bba67414f7635356816fab95b1ffafc26a7de64497d95a6ff1fc9af51cd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 1804	3028	24685bba67414f7635356816fab95b1ffafc26a7de64497d95a6ff1fc9af51cd.exe	82
PID 3028 wrote to memory of 1804	3028	24685bba67414f7635356816fab95b1ffafc26a7de64497d95a6ff1fc9af51cd.exe	82
PID 3028 wrote to memory of 1804	3028	24685bba67414f7635356816fab95b1ffafc26a7de64497d95a6ff1fc9af51cd.exe	82
PID 1804 wrote to memory of 116	1804	Deokon32.exe	83
PID 1804 wrote to memory of 116	1804	Deokon32.exe	83
PID 1804 wrote to memory of 116	1804	Deokon32.exe	83
PID 116 wrote to memory of 964	116	Dhmgki32.exe	84
PID 116 wrote to memory of 964	116	Dhmgki32.exe	84
PID 116 wrote to memory of 964	116	Dhmgki32.exe	84
PID 964 wrote to memory of 4144	964	Dfpgffpm.exe	85
PID 964 wrote to memory of 4144	964	Dfpgffpm.exe	85
PID 964 wrote to memory of 4144	964	Dfpgffpm.exe	85
PID 4144 wrote to memory of 1892	4144	Dogogcpo.exe	86
PID 4144 wrote to memory of 1892	4144	Dogogcpo.exe	86
PID 4144 wrote to memory of 1892	4144	Dogogcpo.exe	86
PID 1892 wrote to memory of 5024	1892	Dmjocp32.exe	87
PID 1892 wrote to memory of 5024	1892	Dmjocp32.exe	87
PID 1892 wrote to memory of 5024	1892	Dmjocp32.exe	87
PID 5024 wrote to memory of 4708	5024	Daekdooc.exe	88
PID 5024 wrote to memory of 4708	5024	Daekdooc.exe	88
PID 5024 wrote to memory of 4708	5024	Daekdooc.exe	88
PID 4708 wrote to memory of 2856	4708	Dddhpjof.exe	89
PID 4708 wrote to memory of 2856	4708	Dddhpjof.exe	89
PID 4708 wrote to memory of 2856	4708	Dddhpjof.exe	89
PID 2856 wrote to memory of 1104	2856	Dhocqigp.exe	90
PID 2856 wrote to memory of 1104	2856	Dhocqigp.exe	90
PID 2856 wrote to memory of 1104	2856	Dhocqigp.exe	90
PID 1104 wrote to memory of 2148	1104	Dgbdlf32.exe	91
PID 1104 wrote to memory of 2148	1104	Dgbdlf32.exe	91
PID 1104 wrote to memory of 2148	1104	Dgbdlf32.exe	91
PID 2148 wrote to memory of 3676	2148	Doilmc32.exe	92
PID 2148 wrote to memory of 3676	2148	Doilmc32.exe	92
PID 2148 wrote to memory of 3676	2148	Doilmc32.exe	92

C:\Users\Admin\AppData\Local\Temp\24685bba67414f7635356816fab95b1ffafc26a7de64497d95a6ff1fc9af51cd.exe
"C:\Users\Admin\AppData\Local\Temp\24685bba67414f7635356816fab95b1ffafc26a7de64497d95a6ff1fc9af51cd.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\Deokon32.exe
  C:\Windows\system32\Deokon32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\Dhmgki32.exe
    C:\Windows\system32\Dhmgki32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Windows\SysWOW64\Dfpgffpm.exe
      C:\Windows\system32\Dfpgffpm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:964
    - - C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4144
      - C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 408
        13⤵
        Program crash
        
        PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3676 -ip 3676
1⤵
PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bobiobnp.dll

Filesize
7KB

MD5
1163e93fe0f4b194c5b7358549142d21

SHA1
b7bd9900e147fb103986d582207ddb38d1d9647c

SHA256
9bd42a59d53bbd763f7fd7e656f95d05b891e60e7333b1d8c14b411fbaf44bac

SHA512
01192aeb49340260aa973d3e76dfe2e8d701878f6237053df944ff8d85eefd58d009b7401763c5c3c8bdfcbca011ca77e96651edfeca42a7eb4ced0a200e5f1f

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
176KB

MD5
f2a93c3c2d668e625fa82a636f602612

SHA1
1120e9aa88dd3d368a4d38e0352e0cb221f8fb9f

SHA256
39df01c1322895f9bf1125be9d0c7427422b1e17492c4c042a140b13395daf34

SHA512
6425d7d8371f2e5d3430b750ca9571d9b53d8b10b81d1dd57398bd99777c085696023fc57da8213b87eef486bd0ccb36d6a124a52f643977417035e579bdd5c8

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
176KB

MD5
bee7b45ae016c2f271601ff585936f8c

SHA1
ad2044661417637478d189e756c12df94cf0a01f

SHA256
8aabd7e6be7027a1a766ba3a143c09610a209d176aca28bd04cbf0b20ef5cce3

SHA512
647842202126b7fa73603b2272d0b606d2cc6af0b752f2810bbe6c5c7acf5e7b087d660360cf0c21b47e537574b89e864c8c9223fc6fb0f258d6ef91355ddc62

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
176KB

MD5
30b46d39c4dc003eec518579a20f9e79

SHA1
41134a922c455c9991f460fdf220cc4dc6969924

SHA256
70b45bd84dbeb775754ad103a17c13024975d19c310ec751a9e6b69c29478266

SHA512
79c45386a98a13f5af849d75170fbc37d932a91795ae62cf5d8df50d837ad95870fd218deea754963de5ed59f581fffe9e19ce2d75e912c21c58fae7c4f04177

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
176KB

MD5
3afd6a58469b832760db3e97036d0498

SHA1
370300e1714d39e79d810db5d152bee5f1d2a288

SHA256
c78d1efa48f47330064ca4a4b36fc818e7a34edc082cc0827c772c5efce8642e

SHA512
a70fc59681f7c712a51a6e19f3c0ca4142bbf3ac4216ec26b02026e3e78f73b826f25265a6f929d96c3b943b9af7ede08d90c7733391a26424d85298aefcf0e0

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
176KB

MD5
6fa4651f88fa3d35629af752d2743d7b

SHA1
f3637a3870ca10c3ff23a50c1938a5e7d21a1098

SHA256
2bde4c48e559508f49362833fb8f2a039eb182579cffbdc7f9666915d69a02a2

SHA512
2fe58efbaf435fe0c9f7fa156558cb11acdb417906f7b7a5ad1decce36585f1c762694de7a6622a732e13b0b86b89aa4bdd99de97795dd59882cef9b9e324293

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
176KB

MD5
9468dacd61e7b58c18344f89b08094c3

SHA1
20bd05ac588fbbe06ccdb62f13a428a69f98d3ac

SHA256
56fbcdaf9c43c4c0d84f440e9b3954a9bb76f98d48afaf9222ec220889c8fa0a

SHA512
3b9f5b3399afd7fe9b84739538fac219ff97520a814b563485b95f4073b64dfbaeb04896c4ac09802dccdf7593d45563b364d4c22803e902550740bccc1f2be8

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
176KB

MD5
a9f16fd42c5137340327149b99a9ba93

SHA1
74d10e07e54b1914e6bfab60ef29973f47caf35a

SHA256
449d9f7c8c4ec4caa8f995a9ba5c3658c62063c4a6af41818ab688ef101f6aa8

SHA512
0c867fe84e57b0cab9be1d4bcc0c33ec75b074e10667a166e364d9e681ddfad5ab39b95ece671ce7a513d5ff0d0b7231258f65ec953e79db6a0aa52fc47e234a

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
176KB

MD5
6c4e5c11e63c88857dbdb357430f02b6

SHA1
bdafe3a585189cc92171f3ad19aa2f4074086eee

SHA256
25014c6eea767a1e503a2350dbbeb30c4ea959f5799c618e3c2077bb5bf816e7

SHA512
4828296a8f6fc48b353182f80dc2367246e633acfe56558631d0d31436498cba269203a1683a3771954d47e425a400cbb4f06a51ee88de655c158effb279b489

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
176KB

MD5
05827b34639f13dc8e6cb60fff9e9e67

SHA1
60c5ee0d1a75fe99292f374a46477517264ec53f

SHA256
00662e37d0cd993e8a42b001545cd25a9168d2590590abe617a10dc12c1f795f

SHA512
63cc56efb55320233e9f49d34d83d66eaad2ee03deebefd9b09afbcdbef19bc1e71f84f02b8dc550209f966dd1d915aa6ed603575054404eab161e7049f69ed9

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
176KB

MD5
9d2fde9e62494d9f04b2948a0a733fd9

SHA1
009155813421dd0fff62e65bbc6f2612da11c87c

SHA256
d56d1d3fdee43c5638e3c261463a8cbc842e99fd243fd903f0fc65929acb676e

SHA512
dadb1aceda1968c5be6317865912397236591e82d300f6578820ab4e9ef109a7de0ca5db4b46e6719fe3fc633764830c2a33853025fd168bd98910b262a4cce5

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
176KB

MD5
50af25033861c80e73d2e3c0388ac75a

SHA1
25ee22d668917c9dea9f556aa7041e744a87f489

SHA256
a9755c7fb4c28a899b261d9f39312e2c9ff5a13d0afc5fd06a65172bb84a0c81

SHA512
46c9db9e99a549d1448ef510ad51db6512d6ff8d48897d17ce08f5fb8afd56b477f497a2973a1882257beaa18f8e72baa10d572075d889809a14c0c6f731b9f3

Download Submit
memory/116-20-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/964-28-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1104-76-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1804-91-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1804-8-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1892-89-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1892-40-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2148-84-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2856-68-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3028-92-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3028-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3676-88-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4144-35-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4144-90-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4708-60-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5024-52-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads