berbew | 11e17a94c661e408d49c3609ed8f674bbbdc82c014375bfd89a48672eee8cfe7

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11e17a94c661e408d49c3609ed8f674bbbdc82c014375bfd89a48672eee8cfe7N.exe
Size

582KB
MD5

80a287584676f35aff4814767ff2a940
SHA1

159d6eb00164e569534ece29a5bff8a545c37609
SHA256

11e17a94c661e408d49c3609ed8f674bbbdc82c014375bfd89a48672eee8cfe7
SHA512

abbe04ddd47f77381db860ab90546c5ffb8a58c306272fe3f322563ce5b1d08372a951401002d7622f292161d51afa92a1cc9318017d9e35b3884922e06d9038
SSDEEP

12288:Qik/ugfYNrekcPYNrq6+gmCAYNrekcPYNrB:k/fakaF+gqakad

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	11e17a94c661e408d49c3609ed8f674bbbdc82c014375bfd89a48672eee8cfe7N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	11e17a94c661e408d49c3609ed8f674bbbdc82c014375bfd89a48672eee8cfe7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 9 IoCs

pid	Process
1320	Cjbpaf32.exe
264	Dfiafg32.exe
3948	Dejacond.exe
4428	Dobfld32.exe
3904	Dfnjafap.exe
4820	Dmgbnq32.exe
4652	Dfpgffpm.exe
1812	Deagdn32.exe
1072	Dmllipeg.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	11e17a94c661e408d49c3609ed8f674bbbdc82c014375bfd89a48672eee8cfe7N.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	11e17a94c661e408d49c3609ed8f674bbbdc82c014375bfd89a48672eee8cfe7N.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	11e17a94c661e408d49c3609ed8f674bbbdc82c014375bfd89a48672eee8cfe7N.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dfpgffpm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2332	1072	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11e17a94c661e408d49c3609ed8f674bbbdc82c014375bfd89a48672eee8cfe7N.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	11e17a94c661e408d49c3609ed8f674bbbdc82c014375bfd89a48672eee8cfe7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	11e17a94c661e408d49c3609ed8f674bbbdc82c014375bfd89a48672eee8cfe7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	11e17a94c661e408d49c3609ed8f674bbbdc82c014375bfd89a48672eee8cfe7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	11e17a94c661e408d49c3609ed8f674bbbdc82c014375bfd89a48672eee8cfe7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	11e17a94c661e408d49c3609ed8f674bbbdc82c014375bfd89a48672eee8cfe7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	11e17a94c661e408d49c3609ed8f674bbbdc82c014375bfd89a48672eee8cfe7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 1320	1184	11e17a94c661e408d49c3609ed8f674bbbdc82c014375bfd89a48672eee8cfe7N.exe	82
PID 1184 wrote to memory of 1320	1184	11e17a94c661e408d49c3609ed8f674bbbdc82c014375bfd89a48672eee8cfe7N.exe	82
PID 1184 wrote to memory of 1320	1184	11e17a94c661e408d49c3609ed8f674bbbdc82c014375bfd89a48672eee8cfe7N.exe	82
PID 1320 wrote to memory of 264	1320	Cjbpaf32.exe	83
PID 1320 wrote to memory of 264	1320	Cjbpaf32.exe	83
PID 1320 wrote to memory of 264	1320	Cjbpaf32.exe	83
PID 264 wrote to memory of 3948	264	Dfiafg32.exe	84
PID 264 wrote to memory of 3948	264	Dfiafg32.exe	84
PID 264 wrote to memory of 3948	264	Dfiafg32.exe	84
PID 3948 wrote to memory of 4428	3948	Dejacond.exe	85
PID 3948 wrote to memory of 4428	3948	Dejacond.exe	85
PID 3948 wrote to memory of 4428	3948	Dejacond.exe	85
PID 4428 wrote to memory of 3904	4428	Dobfld32.exe	86
PID 4428 wrote to memory of 3904	4428	Dobfld32.exe	86
PID 4428 wrote to memory of 3904	4428	Dobfld32.exe	86
PID 3904 wrote to memory of 4820	3904	Dfnjafap.exe	87
PID 3904 wrote to memory of 4820	3904	Dfnjafap.exe	87
PID 3904 wrote to memory of 4820	3904	Dfnjafap.exe	87
PID 4820 wrote to memory of 4652	4820	Dmgbnq32.exe	88
PID 4820 wrote to memory of 4652	4820	Dmgbnq32.exe	88
PID 4820 wrote to memory of 4652	4820	Dmgbnq32.exe	88
PID 4652 wrote to memory of 1812	4652	Dfpgffpm.exe	89
PID 4652 wrote to memory of 1812	4652	Dfpgffpm.exe	89
PID 4652 wrote to memory of 1812	4652	Dfpgffpm.exe	89
PID 1812 wrote to memory of 1072	1812	Deagdn32.exe	90
PID 1812 wrote to memory of 1072	1812	Deagdn32.exe	90
PID 1812 wrote to memory of 1072	1812	Deagdn32.exe	90

C:\Users\Admin\AppData\Local\Temp\11e17a94c661e408d49c3609ed8f674bbbdc82c014375bfd89a48672eee8cfe7N.exe
"C:\Users\Admin\AppData\Local\Temp\11e17a94c661e408d49c3609ed8f674bbbdc82c014375bfd89a48672eee8cfe7N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\SysWOW64\Cjbpaf32.exe
  C:\Windows\system32\Cjbpaf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\SysWOW64\Dfiafg32.exe
    C:\Windows\system32\Dfiafg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:264
  - - C:\Windows\SysWOW64\Dejacond.exe
      C:\Windows\system32\Dejacond.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3948
    - - C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
      - C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 416
        11⤵
        Program crash
        
        PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1072 -ip 1072
1⤵
PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
582KB

MD5
da941c0d09392ee131fca99fae9c93bf

SHA1
6874ff4158279c1efbf9ea03e248154fb27f7744

SHA256
f4d06c907190022efced0b3bdb32f235a5941d05f2188ad1f95051ef5717095f

SHA512
0d574d3c9d09ea66e4c5d41c23b7abaa99e21e86188424d4a3593ffa2b8c16c7b8e1e3527866e41308f8e41b58ae326f17a5d651057d57bc75661db66e89244e

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
582KB

MD5
c6bca2bb01fe9cabdd2790af19904aa7

SHA1
884cf4e601cae18a4a996036afba55720fc74610

SHA256
cb66961d738ca1ea9baaceb6952b136648d87339243123443418523fc1d06250

SHA512
9acc4836deeb743311d84ca5a8ba868cb71736dbd12b4665d2a4730208505df7f13731f62bcd8a39ba9a689cc7a4006b95c1c99fa5bc43247f6afe823fae1a71

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
582KB

MD5
3c925e1fefab819c3b85d09762187e1c

SHA1
aca5c012f1042df70d982266a5bcb7ebfa906952

SHA256
acdf61e5b57b48ff9f6400a2f20dd2d700c8573fdf823b0f9d98517174de998d

SHA512
d48ca118a925a1ce7c4428ff2ab8d765093a97a02b1c620349bc6d50edec427494e85387f87d9cb287be4b5f7f2719ab3ec343144ad03ef0f0413e8695da5171

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
582KB

MD5
720f7c1c9d736bb2b3767b5e8d6a8ad4

SHA1
6b0a870ae7e4ac58cc1885352ac3310740b5e1ed

SHA256
3f345ca3e971fee410241ce69e755c7666d96237ce35bb1149287be33d70e352

SHA512
e648b97d82dfb692e93992075f2c95df49aff7e0377a8e6c945352c793914f454168401e70df8a7edc6a678a4340394148a4c71ce71a9c6435f44930841cd4f6

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
582KB

MD5
6e5d19e4b9f163a1f57156c6b52cef20

SHA1
97461df1c5d0a3aa5aba0590f7f16c3779f56f51

SHA256
988292a2069991a8fcd86f8610ea56ef597541d13251d8743f950c4c51824a43

SHA512
166556f1e62a7287eb16daf93bd12bf8e202b1ce2144fd836dffd2d67d36db349dabd8618734439c656b1b9b3e11273e70665971bf76a138b1656fe522a34458

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
582KB

MD5
04533bb71ceaa500d1af7e949b12e128

SHA1
9ab0a430136ab421dd765ddffbd9e33069c878ef

SHA256
b3732dff4dd94828c0fdd16c6800c3944208a058ace8e5d05d39df372e134415

SHA512
81c922e640875b1562b94d2958e18ceb08dcf85fea4572cf6fb31937bee77888270c9dfa26214851d605531f420cae99f9c70ed4fe8d5375fe9c1eaaea7afed1

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
582KB

MD5
55706e6c95bf0cf873274dde817e02d8

SHA1
89fd5395b3c9f9179fb48783c76026e09d97106a

SHA256
0d32e13044f0e78f8983684d0e12708c5da958fbb523c3a587cfdd1ce17cf482

SHA512
ff337a40309e69e8d7e0918a5e73fd481dfc8a318361b61196ecf8b3b9a5e8f8a9d085f5469deb91b8b049c8560f96a861b4c68bafe45b44b6871b86c5f60973

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
582KB

MD5
2f68b7ad1af91d5e76a71873cbbba68e

SHA1
0b36e205660ed4da129feb06824444129a32c301

SHA256
0f55b3a4b2dc011027c48c81ae432db2cd5c1e87760e1d47d55db4d17e5dc946

SHA512
d07ebd2e5e155994c5bac39d91a86c24954745c515435c309117093023e2432702b3967cb07e61c0574000f3a7662fa274b436ba2d707811676b4e6cd5c37ce6

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
582KB

MD5
883b299fcc2c3a978ff2935918322d9d

SHA1
3aac7fb8681e263fc79de7e4efb12b154aafeb0c

SHA256
bfdfbabd49cf786004d4fe6cc127bf18425703e012e49dcf1eafcc93de500286

SHA512
0b714784c32a0a4512995735018aabf6fd8dd509a824bf9f63235755c8c366770bc3fd18868a800e9e6b0ff4a6e968be4c03daa3f8dad14c666e308fb80a8a4c

Download Submit
C:\Windows\SysWOW64\Poahbe32.dll

Filesize
7KB

MD5
b6dcdfe96c00230744ba74d11a95846f

SHA1
9a1024ebb79f2237287662917d56b50486da6616

SHA256
217f5b2f11c1032b389886d3912f76f36665355905cbe070ef51220fed10a426

SHA512
52585c958b647b358fdf482eccd505558e1dd10598ebad154c672752e9b48585087e4a7dabf003ff23c72c7895c6a65ca0c79caa80802604c0fa324dda6b8d78

Download Submit
memory/264-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/264-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1072-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1072-74-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1184-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1184-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1320-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1320-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-77-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3904-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3904-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-86-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4652-78-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4652-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4820-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4820-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads