berbew | 7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432d

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe
Size

76KB
MD5

ca7c7866bd83455a038b4bca9e85d750
SHA1

ca5d85c30fb053863245abaf4b1456e20308f99f
SHA256

7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432d
SHA512

693772a8ffe30f292fb4faa8d6c891963bf466a19cd5b129279820d877d76a3e3ba24839011020b8f776aa7166af16d095f33083086486c95f355ab9ceb55b89
SSDEEP

1536:LRS6S3YQfZQ9gOSW6BLzBD739sQHioQV+/eCeyvCQ:y3G9gO+zp7NsQHrk+

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khnapkjg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khnapkjg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfaalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhbai32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 7 IoCs

pid	Process
2132	Khnapkjg.exe
2672	Kfaalh32.exe
2808	Kmkihbho.exe
2608	Kbhbai32.exe
2624	Kkojbf32.exe
3064	Lplbjm32.exe
2988	Lbjofi32.exe

Loads dropped DLL 14 IoCs

pid	Process
2212	7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe
2212	7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe
2132	Khnapkjg.exe
2132	Khnapkjg.exe
2672	Kfaalh32.exe
2672	Kfaalh32.exe
2808	Kmkihbho.exe
2808	Kmkihbho.exe
2608	Kbhbai32.exe
2608	Kbhbai32.exe
2624	Kkojbf32.exe
2624	Kkojbf32.exe
3064	Lplbjm32.exe
3064	Lplbjm32.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Khnapkjg.exe	7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe
File opened for modification	C:\Windows\SysWOW64\Kmkihbho.exe	Kfaalh32.exe
File opened for modification	C:\Windows\SysWOW64\Kkojbf32.exe	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Lplbjm32.exe
File opened for modification	C:\Windows\SysWOW64\Khnapkjg.exe	7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe
File created	C:\Windows\SysWOW64\Kbhbai32.exe	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Gffdobll.dll	Kbhbai32.exe
File opened for modification	C:\Windows\SysWOW64\Lplbjm32.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Kfaalh32.exe	Khnapkjg.exe
File created	C:\Windows\SysWOW64\Bndneq32.dll	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Lplbjm32.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Dlcdel32.dll	Kkojbf32.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Jkbcekmn.dll	7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe
File opened for modification	C:\Windows\SysWOW64\Kfaalh32.exe	Khnapkjg.exe
File created	C:\Windows\SysWOW64\Phblkn32.dll	Khnapkjg.exe
File created	C:\Windows\SysWOW64\Kmkihbho.exe	Kfaalh32.exe
File created	C:\Windows\SysWOW64\Canhhi32.dll	Kfaalh32.exe
File opened for modification	C:\Windows\SysWOW64\Kbhbai32.exe	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Kkojbf32.exe	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Lplbjm32.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkojbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khnapkjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfaalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkihbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhbai32.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phblkn32.dll"	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khnapkjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffdobll.dll"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khnapkjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfaalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canhhi32.dll"	Kfaalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll"	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdel32.dll"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbcekmn.dll"	7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkojbf32.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2132	2212	7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe	31
PID 2212 wrote to memory of 2132	2212	7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe	31
PID 2212 wrote to memory of 2132	2212	7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe	31
PID 2212 wrote to memory of 2132	2212	7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe	31
PID 2132 wrote to memory of 2672	2132	Khnapkjg.exe	32
PID 2132 wrote to memory of 2672	2132	Khnapkjg.exe	32
PID 2132 wrote to memory of 2672	2132	Khnapkjg.exe	32
PID 2132 wrote to memory of 2672	2132	Khnapkjg.exe	32
PID 2672 wrote to memory of 2808	2672	Kfaalh32.exe	33
PID 2672 wrote to memory of 2808	2672	Kfaalh32.exe	33
PID 2672 wrote to memory of 2808	2672	Kfaalh32.exe	33
PID 2672 wrote to memory of 2808	2672	Kfaalh32.exe	33
PID 2808 wrote to memory of 2608	2808	Kmkihbho.exe	34
PID 2808 wrote to memory of 2608	2808	Kmkihbho.exe	34
PID 2808 wrote to memory of 2608	2808	Kmkihbho.exe	34
PID 2808 wrote to memory of 2608	2808	Kmkihbho.exe	34
PID 2608 wrote to memory of 2624	2608	Kbhbai32.exe	35
PID 2608 wrote to memory of 2624	2608	Kbhbai32.exe	35
PID 2608 wrote to memory of 2624	2608	Kbhbai32.exe	35
PID 2608 wrote to memory of 2624	2608	Kbhbai32.exe	35
PID 2624 wrote to memory of 3064	2624	Kkojbf32.exe	36
PID 2624 wrote to memory of 3064	2624	Kkojbf32.exe	36
PID 2624 wrote to memory of 3064	2624	Kkojbf32.exe	36
PID 2624 wrote to memory of 3064	2624	Kkojbf32.exe	36
PID 3064 wrote to memory of 2988	3064	Lplbjm32.exe	37
PID 3064 wrote to memory of 2988	3064	Lplbjm32.exe	37
PID 3064 wrote to memory of 2988	3064	Lplbjm32.exe	37
PID 3064 wrote to memory of 2988	3064	Lplbjm32.exe	37

C:\Users\Admin\AppData\Local\Temp\7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe
"C:\Users\Admin\AppData\Local\Temp\7e14d3cac672090384e032dbd6ef51c946f85ee4eaf824ae8aca2f0864f1432dN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\Khnapkjg.exe
  C:\Windows\system32\Khnapkjg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\Kfaalh32.exe
    C:\Windows\system32\Kfaalh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\Kmkihbho.exe
      C:\Windows\system32\Kmkihbho.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\SysWOW64\Kbhbai32.exe
        
        C:\Windows\system32\Kbhbai32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Windows\SysWOW64\Kkojbf32.exe
        
        C:\Windows\system32\Kkojbf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Lplbjm32.exe
        
        C:\Windows\system32\Lplbjm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kfaalh32.exe

Filesize
76KB

MD5
8b2a692b1d0a30f9f39f098efd8680cc

SHA1
36adf89177244d0f27f3d1406e898466b167ec0b

SHA256
870ebc356f972271ba97e0b86ab1aa6918ecf266a31eb6dd03c56e94f9215be3

SHA512
7475bd07c4a6b9cc4749fee53240adc9639fbe13b3aaa03f674d2283dc0dd745aea74622d83dac123587a87ce0f1af6f71d27c536427cbbb23c66af6b6f388d5

Download Submit
\Windows\SysWOW64\Kbhbai32.exe

Filesize
76KB

MD5
f14ee1433cf058dccae0df0a4e692e20

SHA1
083d8e7ebf64f74063afe872aaa60bb15973b568

SHA256
ac97d5abe7d68ffa927941aa5d9e113ed78783ad6cc76dd33492a720f08f7ee4

SHA512
8abcbddd2daf0aff6b675ce40a095633e66be6edb67eb5476eb14f33717c87b29e406812d3c669625f96ba5c9bf462047758653624da6f687d013ca0495bad34

Download Submit
\Windows\SysWOW64\Khnapkjg.exe

Filesize
76KB

MD5
e10386185ead1ee778c192b5c19d1813

SHA1
55380622b02de7506bb054623cf273cc6bccb3fc

SHA256
b4c9db9869ca485e167fc74ed8cab56c149892835898096cff3c11a51818eb06

SHA512
aefbe534f8db524c4407ec02457829a5e2b9ec8935d7037f3526da5f2b901de582fe06f7e72f75b8c97972c06de7f35bfaf2bee5568f195a63b6f394355dde85

Download Submit
\Windows\SysWOW64\Kkojbf32.exe

Filesize
76KB

MD5
25d73dbcf239d3903c94ce44253219d9

SHA1
f34d6a5a9fdd8a6e2f7ce5c357821ffd2f3c3bbc

SHA256
a9011447b327f210a24ccd338a92117d9da873811ae1e2c468b98de05075bc42

SHA512
84d5577c0ae1509938ea9d7fe60f3c44f27a882274307e0ed2e54e9a52bca34ed414c68bcd8f44112363f356303ff1762faef3516500ce764299f59fcfe60596

Download Submit
\Windows\SysWOW64\Kmkihbho.exe

Filesize
76KB

MD5
cd56c857b502cc29fb60a1bcca7f44c7

SHA1
83cb823105bb0570fa3cd9a3a3ea091d9d899eaf

SHA256
6b10bde4060b8f6335475e2826dacc146ccb6784b59d860a29177274b8792a86

SHA512
cecbe4c8a9dca87edeceb26f233b0149a90423977c4f3bcc5da13511ac6cdf007c2a4613945192ee41bb89d6297ce2c0c728e62667f41313cfb940a63c855972

Download Submit
\Windows\SysWOW64\Lbjofi32.exe

Filesize
76KB

MD5
1726d6201008db20bb858ff5017eb79d

SHA1
4addf05a8bc4379ba68dfd4c81400fb203d705af

SHA256
ed47900d1e9b0f0f0da7101143ccbf02ef31725e0dea50488cb98cc2363431a1

SHA512
946051f70d689bee0d4be210eca8b29b257f9e4605d414261138b2cdf01ca8ff50ac332e312ca32cd0239ed9746784a0fab202c4e75b6233a15c78aea721a230

Download Submit
\Windows\SysWOW64\Lplbjm32.exe

Filesize
76KB

MD5
f2458e659f9e6ae16714c48852dfbd5a

SHA1
86768994cbccac4032bd17a8e7df431c722879ee

SHA256
e00220d9311e4a70205a43dcdc62d0090918433ed31299783ca25db8adc06d88

SHA512
2acd099bc45072fd2dacd14efb4bc87759abcdf8ae64634a8c4dc73530c5741c5f56b1b1f39ed8cfa98bd4d5ba6e1f42d2cb10cd06317fd50184124b896ca8f6

Download Submit
memory/2132-83-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2132-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2132-27-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2212-81-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2212-82-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2212-69-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2212-13-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2212-12-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2212-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2624-68-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2624-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2672-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2672-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2808-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2808-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2808-54-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2988-101-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2988-102-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3064-91-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3064-94-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads