berbew | f2415df64d4b5b9b6216123310ecb0a3046ce7d1f37da6b5e70196f134b8b508

General

Target

f2415df64d4b5b9b6216123310ecb0a3046ce7d1f37da6b5e70196f134b8b508N.exe
Size

52KB
MD5

4119697538ceb18d384d536e9cf586a0
SHA1

7cc29a9e77da41c85c02b7802e9a574fa923514b
SHA256

f2415df64d4b5b9b6216123310ecb0a3046ce7d1f37da6b5e70196f134b8b508
SHA512

f5b0ac0f8023615bac06d762fa1fd5c84bba2e5926e48cd5c55d86b1d52a70ba1f9f072b992dd8d42be49fe20bccce8abbfaa0ecd089eaba267d2eace27ed23f
SSDEEP

768:bQhG4+vV6MBmANQ5lLCA+uLGzynN482JzZm/1H5F/sDMABvKWe:sEvVbBS5xCAXGQN92UyMAdKZ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f2415df64d4b5b9b6216123310ecb0a3046ce7d1f37da6b5e70196f134b8b508N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f2415df64d4b5b9b6216123310ecb0a3046ce7d1f37da6b5e70196f134b8b508N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 8 IoCs

pid	Process
1168	Dfnjafap.exe
4936	Dodbbdbb.exe
2908	Deokon32.exe
4104	Dfpgffpm.exe
752	Dmjocp32.exe
4832	Dddhpjof.exe
1432	Dknpmdfc.exe
1072	Dmllipeg.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	f2415df64d4b5b9b6216123310ecb0a3046ce7d1f37da6b5e70196f134b8b508N.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	f2415df64d4b5b9b6216123310ecb0a3046ce7d1f37da6b5e70196f134b8b508N.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	f2415df64d4b5b9b6216123310ecb0a3046ce7d1f37da6b5e70196f134b8b508N.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1204	1072	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2415df64d4b5b9b6216123310ecb0a3046ce7d1f37da6b5e70196f134b8b508N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f2415df64d4b5b9b6216123310ecb0a3046ce7d1f37da6b5e70196f134b8b508N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	f2415df64d4b5b9b6216123310ecb0a3046ce7d1f37da6b5e70196f134b8b508N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f2415df64d4b5b9b6216123310ecb0a3046ce7d1f37da6b5e70196f134b8b508N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f2415df64d4b5b9b6216123310ecb0a3046ce7d1f37da6b5e70196f134b8b508N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	f2415df64d4b5b9b6216123310ecb0a3046ce7d1f37da6b5e70196f134b8b508N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f2415df64d4b5b9b6216123310ecb0a3046ce7d1f37da6b5e70196f134b8b508N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 1168	452	f2415df64d4b5b9b6216123310ecb0a3046ce7d1f37da6b5e70196f134b8b508N.exe	82
PID 452 wrote to memory of 1168	452	f2415df64d4b5b9b6216123310ecb0a3046ce7d1f37da6b5e70196f134b8b508N.exe	82
PID 452 wrote to memory of 1168	452	f2415df64d4b5b9b6216123310ecb0a3046ce7d1f37da6b5e70196f134b8b508N.exe	82
PID 1168 wrote to memory of 4936	1168	Dfnjafap.exe	83
PID 1168 wrote to memory of 4936	1168	Dfnjafap.exe	83
PID 1168 wrote to memory of 4936	1168	Dfnjafap.exe	83
PID 4936 wrote to memory of 2908	4936	Dodbbdbb.exe	84
PID 4936 wrote to memory of 2908	4936	Dodbbdbb.exe	84
PID 4936 wrote to memory of 2908	4936	Dodbbdbb.exe	84
PID 2908 wrote to memory of 4104	2908	Deokon32.exe	85
PID 2908 wrote to memory of 4104	2908	Deokon32.exe	85
PID 2908 wrote to memory of 4104	2908	Deokon32.exe	85
PID 4104 wrote to memory of 752	4104	Dfpgffpm.exe	86
PID 4104 wrote to memory of 752	4104	Dfpgffpm.exe	86
PID 4104 wrote to memory of 752	4104	Dfpgffpm.exe	86
PID 752 wrote to memory of 4832	752	Dmjocp32.exe	87
PID 752 wrote to memory of 4832	752	Dmjocp32.exe	87
PID 752 wrote to memory of 4832	752	Dmjocp32.exe	87
PID 4832 wrote to memory of 1432	4832	Dddhpjof.exe	88
PID 4832 wrote to memory of 1432	4832	Dddhpjof.exe	88
PID 4832 wrote to memory of 1432	4832	Dddhpjof.exe	88
PID 1432 wrote to memory of 1072	1432	Dknpmdfc.exe	89
PID 1432 wrote to memory of 1072	1432	Dknpmdfc.exe	89
PID 1432 wrote to memory of 1072	1432	Dknpmdfc.exe	89

C:\Users\Admin\AppData\Local\Temp\f2415df64d4b5b9b6216123310ecb0a3046ce7d1f37da6b5e70196f134b8b508N.exe
"C:\Users\Admin\AppData\Local\Temp\f2415df64d4b5b9b6216123310ecb0a3046ce7d1f37da6b5e70196f134b8b508N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\SysWOW64\Dfnjafap.exe
  C:\Windows\system32\Dfnjafap.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\SysWOW64\Dodbbdbb.exe
    C:\Windows\system32\Dodbbdbb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Windows\SysWOW64\Deokon32.exe
      C:\Windows\system32\Deokon32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4104
      - C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 396
        10⤵
        Program crash
        
        PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1072 -ip 1072
1⤵
PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
52KB

MD5
1b468eb6c6a19d900b6cf7531b8fb99d

SHA1
b955c5ebe28ef49a98005707c1537e7ec2258d70

SHA256
5e52db2324a072d05f6ee5b579f648cc38b7e497bcd8f12e0c1a9a5153bd8d1d

SHA512
68594b5655238da570f8ee9cd4b78e5511bf7386cca92129c4bc73069a4b1802133085eaf28189cec1bd0235c3fc99c5ca0d474816fd8ea39fecc39112665c25

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
52KB

MD5
9d825895daf8dac734914bc8233b21c5

SHA1
8384f2246a4b02632b718516e30d7103e199eda9

SHA256
37883c453252428ab2d9778983b74b5f7d129b4b00ae5868eead75c172b0e0c6

SHA512
d78242013bb3b7387502c4de90a7f0bb8c106f3093220e922e3df1598ce5937fd71d363efd2a7373d0964a3a2da580f415b506578f239807a776f1fae2346a73

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
52KB

MD5
44b35ab4428b154fa3b67292fb904489

SHA1
de6395fe711981eef7346e0a51d31e36e168b2a2

SHA256
f55c5d2d2a2e60621ec9374c4856e2526cb8cdf8dfe5cfe47a2d84f974fb8b91

SHA512
39c4d19f3c8d51f1ea1a18b26a9fb58df2af1ffe5de55b8c19c6ee8a590482904b507c18a4e71e3c3feb73a075c2adde1e55f79d151805c08fc726602ebd395e

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
52KB

MD5
e608929dd3a10a217e8556f01fd14e08

SHA1
bba0880b3b596cba4fc11285f4bed2eccebe4692

SHA256
02f9b0e15d6f055ccd52783299bcd2e2cf5aa184ec8e57faa538f83ef521f421

SHA512
0c30061e3520cea5d26c1e447d313da1e7d8367d2f8b47c58b801da2f4281a1aaf6c39aa843ffc05bedeadfdb92f6f54fb8d4837e3b819fc2a6a8d29feed11df

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
52KB

MD5
7a6b747d0f9a7fd775a7ed7e541f3ad5

SHA1
6d721aa71c4dc4a13b5dc813a994df78bd5c0fa8

SHA256
a90ebb31d28bc76f533a597bbe2c734f998a4a6baac683e186bf8ff1e9424ae8

SHA512
a07a1068c3c927fa60bbed5374b3fdfd10b1f7373716e38bc13a9672bd9e45b85d9da2f4b00e05682a4c5fb1d4a305d0f5ff2d10dc6a292ee386282f6c925b8e

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
52KB

MD5
ce585134e4859fba7fab3f829739135c

SHA1
b54fb8ea7dd07be0c6c450724906b08f57ce20eb

SHA256
f1b43907cb18802ca9a7b2f4a60b7d629e54c1610897209418ff84c21b9ee129

SHA512
c4e8a063dda94fbbc8832c4e6573030001849ba1aa04bf9ac8d811528f2470ef9ed22189646e9b5ea9d04239116cc8d0366d7192b10dab50cd1c4a7dfb7ef7a6

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
52KB

MD5
9237b8bc9d61bd9115059e175c3d77b6

SHA1
3fd376da91f026fb5bb5c85bd8ec0c0fe04bd2c3

SHA256
f7ed29087228fe0a01fe28d36fc3675f4b5652976a11e833f9d0cc8a8947ef91

SHA512
aeb683846d73faab8af9e58735f0c21c6138ce5b6d94ea393dff47eefb3ede41d4fc1547bed0a3c106a5fad157d1412003235a7658784844fcc9d853a4a9d94a

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
52KB

MD5
6276c5573929b5fb199bf71f7a03ee3c

SHA1
b35c4852f31bc1db6f7640b2e9b56065410fe517

SHA256
451cbbdf6dbfa8e42e445b89e6654b092b0b046730cfb14142133b568d241428

SHA512
938f0fbca311ad843bdbd818d3ad0c06d605570a91e4dc13b8e923d16dd0d7f680b44def96790e27f28f86ee34c452ba985319c4b9bf7913ffef2cb644aa6502

Download Submit
memory/452-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/452-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/752-68-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/752-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1072-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1072-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1168-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1168-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1432-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1432-66-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2908-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2908-70-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4104-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4104-69-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4832-67-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4832-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4936-73-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4936-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads