berbew | b354b0162c21cdd67fd616b6ec4d4a8eb6f28085ff80e1f9dcb50de2dd42801e

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b354b0162c21cdd67fd616b6ec4d4a8eb6f28085ff80e1f9dcb50de2dd42801eN.exe
Size

186KB
MD5

daef535d1a8f5b63a4155da99a28ce50
SHA1

4483ee859daa525039a22ac505d68f466c006c02
SHA256

b354b0162c21cdd67fd616b6ec4d4a8eb6f28085ff80e1f9dcb50de2dd42801e
SHA512

432f4647609c19d50be4854d3763664b8a0d62c8b0d70f8865f1441a46def9a783c310400bcef16918bff22cdc6b00ae94e6d71cdcca4bcbdcc54e78cc300095
SSDEEP

3072:NlaHRIAXA7RFv+Y4H1vkF3VOMC4uMhZpMdoVBRDI+Vvlg3vG:NlaHjXKRF+Jk/4AcgHuv

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b354b0162c21cdd67fd616b6ec4d4a8eb6f28085ff80e1f9dcb50de2dd42801eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kadica32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgionie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koflgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfaalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b354b0162c21cdd67fd616b6ec4d4a8eb6f28085ff80e1f9dcb50de2dd42801eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koflgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpieengb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 7 IoCs

pid	Process
2712	Koflgf32.exe
2688	Kadica32.exe
2952	Kpgionie.exe
2676	Kfaalh32.exe
796	Kpieengb.exe
316	Lplbjm32.exe
2528	Lbjofi32.exe

Loads dropped DLL 18 IoCs

pid	Process
2652	b354b0162c21cdd67fd616b6ec4d4a8eb6f28085ff80e1f9dcb50de2dd42801eN.exe
2652	b354b0162c21cdd67fd616b6ec4d4a8eb6f28085ff80e1f9dcb50de2dd42801eN.exe
2712	Koflgf32.exe
2712	Koflgf32.exe
2688	Kadica32.exe
2688	Kadica32.exe
2952	Kpgionie.exe
2952	Kpgionie.exe
2676	Kfaalh32.exe
2676	Kfaalh32.exe
796	Kpieengb.exe
796	Kpieengb.exe
316	Lplbjm32.exe
316	Lplbjm32.exe
2544	WerFault.exe
2544	WerFault.exe
2544	WerFault.exe
2544	WerFault.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lplbjm32.exe	Kpieengb.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Hhhamf32.dll	Koflgf32.exe
File opened for modification	C:\Windows\SysWOW64\Kpieengb.exe	Kfaalh32.exe
File opened for modification	C:\Windows\SysWOW64\Kfaalh32.exe	Kpgionie.exe
File created	C:\Windows\SysWOW64\Phblkn32.dll	Kpgionie.exe
File created	C:\Windows\SysWOW64\Pihbeaea.dll	Kfaalh32.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Lplbjm32.exe
File opened for modification	C:\Windows\SysWOW64\Koflgf32.exe	b354b0162c21cdd67fd616b6ec4d4a8eb6f28085ff80e1f9dcb50de2dd42801eN.exe
File created	C:\Windows\SysWOW64\Jbdhhp32.dll	Kadica32.exe
File created	C:\Windows\SysWOW64\Kadica32.exe	Koflgf32.exe
File opened for modification	C:\Windows\SysWOW64\Kadica32.exe	Koflgf32.exe
File created	C:\Windows\SysWOW64\Kpgionie.exe	Kadica32.exe
File created	C:\Windows\SysWOW64\Kpieengb.exe	Kfaalh32.exe
File opened for modification	C:\Windows\SysWOW64\Lplbjm32.exe	Kpieengb.exe
File created	C:\Windows\SysWOW64\Koflgf32.exe	b354b0162c21cdd67fd616b6ec4d4a8eb6f28085ff80e1f9dcb50de2dd42801eN.exe
File created	C:\Windows\SysWOW64\Pehbqi32.dll	b354b0162c21cdd67fd616b6ec4d4a8eb6f28085ff80e1f9dcb50de2dd42801eN.exe
File created	C:\Windows\SysWOW64\Dlcdel32.dll	Kpieengb.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Lplbjm32.exe
File opened for modification	C:\Windows\SysWOW64\Kpgionie.exe	Kadica32.exe
File created	C:\Windows\SysWOW64\Kfaalh32.exe	Kpgionie.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2544	2528	WerFault.exe	36

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadica32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgionie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfaalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpieengb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b354b0162c21cdd67fd616b6ec4d4a8eb6f28085ff80e1f9dcb50de2dd42801eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koflgf32.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfaalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhamf32.dll"	Koflgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phblkn32.dll"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfaalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdel32.dll"	Kpieengb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b354b0162c21cdd67fd616b6ec4d4a8eb6f28085ff80e1f9dcb50de2dd42801eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b354b0162c21cdd67fd616b6ec4d4a8eb6f28085ff80e1f9dcb50de2dd42801eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll"	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kadica32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpieengb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b354b0162c21cdd67fd616b6ec4d4a8eb6f28085ff80e1f9dcb50de2dd42801eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b354b0162c21cdd67fd616b6ec4d4a8eb6f28085ff80e1f9dcb50de2dd42801eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Koflgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pihbeaea.dll"	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b354b0162c21cdd67fd616b6ec4d4a8eb6f28085ff80e1f9dcb50de2dd42801eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehbqi32.dll"	b354b0162c21cdd67fd616b6ec4d4a8eb6f28085ff80e1f9dcb50de2dd42801eN.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2712	2652	b354b0162c21cdd67fd616b6ec4d4a8eb6f28085ff80e1f9dcb50de2dd42801eN.exe	30
PID 2652 wrote to memory of 2712	2652	b354b0162c21cdd67fd616b6ec4d4a8eb6f28085ff80e1f9dcb50de2dd42801eN.exe	30
PID 2652 wrote to memory of 2712	2652	b354b0162c21cdd67fd616b6ec4d4a8eb6f28085ff80e1f9dcb50de2dd42801eN.exe	30
PID 2652 wrote to memory of 2712	2652	b354b0162c21cdd67fd616b6ec4d4a8eb6f28085ff80e1f9dcb50de2dd42801eN.exe	30
PID 2712 wrote to memory of 2688	2712	Koflgf32.exe	31
PID 2712 wrote to memory of 2688	2712	Koflgf32.exe	31
PID 2712 wrote to memory of 2688	2712	Koflgf32.exe	31
PID 2712 wrote to memory of 2688	2712	Koflgf32.exe	31
PID 2688 wrote to memory of 2952	2688	Kadica32.exe	32
PID 2688 wrote to memory of 2952	2688	Kadica32.exe	32
PID 2688 wrote to memory of 2952	2688	Kadica32.exe	32
PID 2688 wrote to memory of 2952	2688	Kadica32.exe	32
PID 2952 wrote to memory of 2676	2952	Kpgionie.exe	33
PID 2952 wrote to memory of 2676	2952	Kpgionie.exe	33
PID 2952 wrote to memory of 2676	2952	Kpgionie.exe	33
PID 2952 wrote to memory of 2676	2952	Kpgionie.exe	33
PID 2676 wrote to memory of 796	2676	Kfaalh32.exe	34
PID 2676 wrote to memory of 796	2676	Kfaalh32.exe	34
PID 2676 wrote to memory of 796	2676	Kfaalh32.exe	34
PID 2676 wrote to memory of 796	2676	Kfaalh32.exe	34
PID 796 wrote to memory of 316	796	Kpieengb.exe	35
PID 796 wrote to memory of 316	796	Kpieengb.exe	35
PID 796 wrote to memory of 316	796	Kpieengb.exe	35
PID 796 wrote to memory of 316	796	Kpieengb.exe	35
PID 316 wrote to memory of 2528	316	Lplbjm32.exe	36
PID 316 wrote to memory of 2528	316	Lplbjm32.exe	36
PID 316 wrote to memory of 2528	316	Lplbjm32.exe	36
PID 316 wrote to memory of 2528	316	Lplbjm32.exe	36
PID 2528 wrote to memory of 2544	2528	Lbjofi32.exe	37
PID 2528 wrote to memory of 2544	2528	Lbjofi32.exe	37
PID 2528 wrote to memory of 2544	2528	Lbjofi32.exe	37
PID 2528 wrote to memory of 2544	2528	Lbjofi32.exe	37

C:\Users\Admin\AppData\Local\Temp\b354b0162c21cdd67fd616b6ec4d4a8eb6f28085ff80e1f9dcb50de2dd42801eN.exe
"C:\Users\Admin\AppData\Local\Temp\b354b0162c21cdd67fd616b6ec4d4a8eb6f28085ff80e1f9dcb50de2dd42801eN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SysWOW64\Koflgf32.exe
  C:\Windows\system32\Koflgf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\Kadica32.exe
    C:\Windows\system32\Kadica32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\Kpgionie.exe
      C:\Windows\system32\Kpgionie.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Windows\SysWOW64\Kfaalh32.exe
        
        C:\Windows\system32\Kfaalh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\SysWOW64\Kpieengb.exe
        
        C:\Windows\system32\Kpieengb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\SysWOW64\Lplbjm32.exe
        
        C:\Windows\system32\Lplbjm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 140
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kadica32.exe

Filesize
186KB

MD5
26b21af99656567cd07beb6e5e0df501

SHA1
50023228a2325d60fe2616bf000bf4fc30a71a37

SHA256
855d816d0aaf4877768d76874b0abbaaa9aec1e6f1b5d80199add8430df0dbc4

SHA512
0554255116c9ae42bc9507515a49014e7da50e50d3a5f404ac0e7aa110c848c9f3c2fd5d7e546a8bf9207653459cae5d30eac181b1bc66c71c8954a65bf8214d

Download Submit
C:\Windows\SysWOW64\Kfaalh32.exe

Filesize
186KB

MD5
cf02a5e76c9c38a117e91b87650bcbe4

SHA1
dd0f3e81de7eec4fb84812172dd9d17838956e7c

SHA256
f0df946c9424a0f926476a51a7652af46f91e33b8e736441d41e9ed131a18fe6

SHA512
0a132856adb14b1c49e95165c26ec5a575832137edf9f212ccc7d9ac53bd07c4c326b0cf6898c54d712f3bfcad2b39463bf527fb367f0bebe24756cfdfef2ef0

Download Submit
C:\Windows\SysWOW64\Kpgionie.exe

Filesize
186KB

MD5
942576efc4361fed1a7c4da7e949b527

SHA1
88d88548a308211e4017a75d9f27ecca2d83fd70

SHA256
dfea5af2b8b26bded2edc7fcd42ec72885043ad4b8fd54859fd8f3c60cf32ccb

SHA512
68c42f484a66168383d6488abe9e7c99b5a6c5a15ecfe32d87e173a02809494269cddce50d3db21638671ae932f8532bbf1c22119083f707e5d6bc3820a4647b

Download Submit
\Windows\SysWOW64\Koflgf32.exe

Filesize
186KB

MD5
2ced7887d77cb9b991fdcff426c86bff

SHA1
97963f3dd944f8b901975a1f96e7be8a89a23f3d

SHA256
07a5345fbdbed3ab813c9b25d6c959f56b09826a03fcdca9be2b39314bc0240a

SHA512
56f368135119887ff07d1d10d0f64ae38b0b03ab16571b31a5c967c3e7cb4241f3b9b6415e2068bf9164502eb7021864a61333fa139a3a9c5642bfeedecff08e

Download Submit
\Windows\SysWOW64\Kpieengb.exe

Filesize
186KB

MD5
e1c1fafa3bbc4eedea417f8242fb9071

SHA1
9be25db76a0be8bf06fb4dc2a08b6dcacaef3842

SHA256
e9bbe84a0f46c47bfcd04fd0b5ec20e924bbdbcb1c17e0acdeb686ff1560c32d

SHA512
dfb392bb80e76aaf993c9a98cc744b795c81aa9e6850d9b6b8edc03f84298cc455f83da64cc1dd6e14cb51d55f5458ad381690f328febb52e8a3d0fe5165afbc

Download Submit
\Windows\SysWOW64\Lbjofi32.exe

Filesize
186KB

MD5
393848ab9d6ca3d5d9184b0074bffbb5

SHA1
47d0198886a59c9010f17c1b14ee3b92ca40207b

SHA256
7fca7d7ee55802849f7f4799718996222c234282335409592c99e5c06e3dd8a0

SHA512
47d40ba7af6d136fab7af79d6b23d154480c0f6ddbb079d69e2112a12c72a24be5f265ec37d2e2e38c38dc4cf140a52e3085c7ff50209d534cc41e72df8b1200

Download Submit
\Windows\SysWOW64\Lplbjm32.exe

Filesize
186KB

MD5
17c1f8a03d96fddc7d4d3d01fe081855

SHA1
7e98c746e0532e529958bab3a92178f232218ded

SHA256
a27da2669c501b61248fe2ebf8dd2ff46f9b276a6e99b6180eafa89524b824e1

SHA512
4bf3a5cc61205ff41d52bc91a8f36ed6640438ff9fab39d57f9b397eb939164e299e85b1da57321321ab32470af2d6d7d896006f572922f84fdd8c8ea4136673

Download Submit
memory/316-89-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/316-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/796-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/796-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/796-75-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2528-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-12-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2652-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-13-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2676-67-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2676-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-32-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2712-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-48-0x0000000001F50000-0x0000000001F83000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads