berbew | 3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320db

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe
Size

77KB
MD5

d8fb22e8645a71622bd3b0cdd7768570
SHA1

2e3675f3139df036c076496502501fad13676a36
SHA256

3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320db
SHA512

cfc4fafc5e5ba161a9f690889e251c8ddc1ce3042f07d94fe712fa27b0eb26d4550b982800449bfa6f83cb1edfa2ba757b79eef31afee01047f42546ba28f706
SSDEEP

768:7c/cYUTo4tz1Z/MR+cVaNVgnglrcqTPCI4yMQ8clxdsZ2p/1H5pVTXdnh2F4g85D:gHUBggjFk2LtRwfi+TjRC/

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nplmop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkbalifo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkbalifo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nenobfak.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplmop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nigome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngibaj32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 10 IoCs

pid	Process
2776	Nmnace32.exe
2648	Nplmop32.exe
2616	Nkbalifo.exe
2344	Npojdpef.exe
320	Ngibaj32.exe
912	Nigome32.exe
2592	Npagjpcd.exe
2604	Ncpcfkbg.exe
1072	Nenobfak.exe
2976	Nlhgoqhh.exe

Loads dropped DLL 20 IoCs

pid	Process
2848	3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe
2848	3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe
2776	Nmnace32.exe
2776	Nmnace32.exe
2648	Nplmop32.exe
2648	Nplmop32.exe
2616	Nkbalifo.exe
2616	Nkbalifo.exe
2344	Npojdpef.exe
2344	Npojdpef.exe
320	Ngibaj32.exe
320	Ngibaj32.exe
912	Nigome32.exe
912	Nigome32.exe
2592	Npagjpcd.exe
2592	Npagjpcd.exe
2604	Ncpcfkbg.exe
2604	Ncpcfkbg.exe
1072	Nenobfak.exe
1072	Nenobfak.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nkbalifo.exe	Nplmop32.exe
File created	C:\Windows\SysWOW64\Eeejnlhc.dll	Nplmop32.exe
File opened for modification	C:\Windows\SysWOW64\Npojdpef.exe	Nkbalifo.exe
File opened for modification	C:\Windows\SysWOW64\Npagjpcd.exe	Nigome32.exe
File created	C:\Windows\SysWOW64\Nigome32.exe	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Npagjpcd.exe	Nigome32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nenobfak.exe
File opened for modification	C:\Windows\SysWOW64\Nplmop32.exe	Nmnace32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nenobfak.exe
File created	C:\Windows\SysWOW64\Mehjml32.dll	Ncpcfkbg.exe
File created	C:\Windows\SysWOW64\Fibkpd32.dll	3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe
File created	C:\Windows\SysWOW64\Nplmop32.exe	Nmnace32.exe
File created	C:\Windows\SysWOW64\Incbogkn.dll	Nmnace32.exe
File created	C:\Windows\SysWOW64\Ngibaj32.exe	Npojdpef.exe
File created	C:\Windows\SysWOW64\Oqaedifk.dll	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Pfdmil32.dll	Npagjpcd.exe
File opened for modification	C:\Windows\SysWOW64\Nmnace32.exe	3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe
File created	C:\Windows\SysWOW64\Ncpcfkbg.exe	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Nenobfak.exe
File opened for modification	C:\Windows\SysWOW64\Ngibaj32.exe	Npojdpef.exe
File created	C:\Windows\SysWOW64\Jmbckb32.dll	Npojdpef.exe
File opened for modification	C:\Windows\SysWOW64\Nenobfak.exe	Ncpcfkbg.exe
File created	C:\Windows\SysWOW64\Mahqjm32.dll	Nigome32.exe
File created	C:\Windows\SysWOW64\Nenobfak.exe	Ncpcfkbg.exe
File created	C:\Windows\SysWOW64\Nmnace32.exe	3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe
File opened for modification	C:\Windows\SysWOW64\Nkbalifo.exe	Nplmop32.exe
File created	C:\Windows\SysWOW64\Npojdpef.exe	Nkbalifo.exe
File created	C:\Windows\SysWOW64\Eqnolc32.dll	Nkbalifo.exe
File opened for modification	C:\Windows\SysWOW64\Nigome32.exe	Ngibaj32.exe
File opened for modification	C:\Windows\SysWOW64\Ncpcfkbg.exe	Npagjpcd.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npagjpcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpcfkbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nenobfak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmnace32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nplmop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkbalifo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npojdpef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngibaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nigome32.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqnolc32.dll"	Nkbalifo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdmil32.dll"	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibkpd32.dll"	3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkbalifo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahqjm32.dll"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehjml32.dll"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nenobfak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incbogkn.dll"	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nenobfak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nplmop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqaedifk.dll"	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbckb32.dll"	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeejnlhc.dll"	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkbalifo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nigome32.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2776	2848	3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe	30
PID 2848 wrote to memory of 2776	2848	3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe	30
PID 2848 wrote to memory of 2776	2848	3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe	30
PID 2848 wrote to memory of 2776	2848	3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe	30
PID 2776 wrote to memory of 2648	2776	Nmnace32.exe	31
PID 2776 wrote to memory of 2648	2776	Nmnace32.exe	31
PID 2776 wrote to memory of 2648	2776	Nmnace32.exe	31
PID 2776 wrote to memory of 2648	2776	Nmnace32.exe	31
PID 2648 wrote to memory of 2616	2648	Nplmop32.exe	32
PID 2648 wrote to memory of 2616	2648	Nplmop32.exe	32
PID 2648 wrote to memory of 2616	2648	Nplmop32.exe	32
PID 2648 wrote to memory of 2616	2648	Nplmop32.exe	32
PID 2616 wrote to memory of 2344	2616	Nkbalifo.exe	33
PID 2616 wrote to memory of 2344	2616	Nkbalifo.exe	33
PID 2616 wrote to memory of 2344	2616	Nkbalifo.exe	33
PID 2616 wrote to memory of 2344	2616	Nkbalifo.exe	33
PID 2344 wrote to memory of 320	2344	Npojdpef.exe	34
PID 2344 wrote to memory of 320	2344	Npojdpef.exe	34
PID 2344 wrote to memory of 320	2344	Npojdpef.exe	34
PID 2344 wrote to memory of 320	2344	Npojdpef.exe	34
PID 320 wrote to memory of 912	320	Ngibaj32.exe	35
PID 320 wrote to memory of 912	320	Ngibaj32.exe	35
PID 320 wrote to memory of 912	320	Ngibaj32.exe	35
PID 320 wrote to memory of 912	320	Ngibaj32.exe	35
PID 912 wrote to memory of 2592	912	Nigome32.exe	36
PID 912 wrote to memory of 2592	912	Nigome32.exe	36
PID 912 wrote to memory of 2592	912	Nigome32.exe	36
PID 912 wrote to memory of 2592	912	Nigome32.exe	36
PID 2592 wrote to memory of 2604	2592	Npagjpcd.exe	37
PID 2592 wrote to memory of 2604	2592	Npagjpcd.exe	37
PID 2592 wrote to memory of 2604	2592	Npagjpcd.exe	37
PID 2592 wrote to memory of 2604	2592	Npagjpcd.exe	37
PID 2604 wrote to memory of 1072	2604	Ncpcfkbg.exe	38
PID 2604 wrote to memory of 1072	2604	Ncpcfkbg.exe	38
PID 2604 wrote to memory of 1072	2604	Ncpcfkbg.exe	38
PID 2604 wrote to memory of 1072	2604	Ncpcfkbg.exe	38
PID 1072 wrote to memory of 2976	1072	Nenobfak.exe	39
PID 1072 wrote to memory of 2976	1072	Nenobfak.exe	39
PID 1072 wrote to memory of 2976	1072	Nenobfak.exe	39
PID 1072 wrote to memory of 2976	1072	Nenobfak.exe	39

C:\Users\Admin\AppData\Local\Temp\3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe
"C:\Users\Admin\AppData\Local\Temp\3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\Nmnace32.exe
  C:\Windows\system32\Nmnace32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\Nplmop32.exe
    C:\Windows\system32\Nplmop32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\Nkbalifo.exe
      C:\Windows\system32\Nkbalifo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\SysWOW64\Npojdpef.exe
        
        C:\Windows\system32\Npojdpef.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
      - C:\Windows\SysWOW64\Ngibaj32.exe
        
        C:\Windows\system32\Ngibaj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Nigome32.exe
        
        C:\Windows\system32\Nigome32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\SysWOW64\Npagjpcd.exe
        
        C:\Windows\system32\Npagjpcd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Ncpcfkbg.exe
        
        C:\Windows\system32\Ncpcfkbg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Nenobfak.exe
        
        C:\Windows\system32\Nenobfak.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nmnace32.exe

Filesize
77KB

MD5
c6efd978dd9d070fdeb4ebc7441f782a

SHA1
23b833e5afc98621ad097cc0995d9ec52796bdbc

SHA256
58d79ec5bc54a2d9293f838087ca7413d62c61abb87b8bcf69186ac13f6e68c7

SHA512
c808268802aa8e3441bb18377968fa98b793e24a3675ffb8644be2bbfaac193580da0a6ae497aa6d443af26edc5ed5cbd3b1eef622526be308e24c59617b6af3

Download Submit
C:\Windows\SysWOW64\Nplmop32.exe

Filesize
77KB

MD5
1bd2bd8bc213c00269d0e0be35ff8544

SHA1
6a14866bf91b074f5f64d34b42736d19f9a7e16f

SHA256
7336a05f751601863193f19c122f3cf8d9ea1bfce6869c072a35a33289be4a5b

SHA512
66454102a9594a6c596f154d71621739ec16a86e6d75367598f14e24a88ef8f598064045a528a065b5d156e03864cf2a56b6a7cf7cd3a2691bf97e26e8523485

Download Submit
\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
77KB

MD5
53c5cac2446b9005d7fe6f0b8c87e7ed

SHA1
fbcef8c79bb67eb4ef59437c5290902e1b56beba

SHA256
e097bf912375b36287004beb4a94fbae7024b03cec059aae1982b13508ceebf0

SHA512
191bb32aea29dc3677055ed7c1daf2c3b0a97db6ee5af6f6f4b7d0527312510f1841ee23ceff4fe8d7e31c493b0e673475bf8891f37b9791b70ece16c3f03a3e

Download Submit
\Windows\SysWOW64\Nenobfak.exe

Filesize
77KB

MD5
b8ffb43dfc43a3a96b0e2fff2dfde5a7

SHA1
d7877cc3a13d95fa14426776aee26375458f554a

SHA256
bb711266c9fc97d7d524946b5193ca70e54ae940c221aba01b99af5a4b704769

SHA512
f506e527f0b9a9ad1f0296d4af586f1e31088102d6b80335fa6ae5e3db80f396c2e18d8965b5f99de09711af552a83ae1883b653a2c2d72cf2da1a1262569d5e

Download Submit
\Windows\SysWOW64\Ngibaj32.exe

Filesize
77KB

MD5
28dc4892adc7eed336c47ba836f22cb4

SHA1
7808aad4ffb264b44a7cfdf60afc1d8f6daddabe

SHA256
de7100ac8a7ca0a149d48e330cc8d86f9895ce3d7ef23929b610d54adb8ba72f

SHA512
6cc1f830dab69ccdc749920cb33ed0c3b60cebdf5375360a0efd636c4cbe4734b72bff8b12d0df48fc062e42407d5a998dc9a2e6abfd39a20eb14a9a10255070

Download Submit
\Windows\SysWOW64\Nigome32.exe

Filesize
77KB

MD5
1c2040621932686cfc4256cbf096c795

SHA1
382dfd12dbc92c42b5d72a0cf3c6e5161b802d1d

SHA256
feb1acce676e7867fc86a44fc1bd155fd7cbe1c996991686097f76e3e16e1685

SHA512
0f46c9e26da48d422fc06d43534ddf7e94f0e11e799b8fc7e36da4b8077bf8f537e5e4946c6c58be0edcd47226b212d1ed03b6c3a8dee2ac5245a93f41b0e3a0

Download Submit
\Windows\SysWOW64\Nkbalifo.exe

Filesize
77KB

MD5
71e7cad14cde3829ec3b6b8cf3974816

SHA1
a4282e90e095ca1879295c4f9dd8e5e9a9c8c45e

SHA256
bcfdfa5a6e11f7702d8e6fa92524527d84bbd5c158ab5657b7f76abfc6d22611

SHA512
7dea7f4b4265b46c11a92b93e656a4b455bfb7e7dbc93023aafa5344fa293e33fdea3354f47644f5de8eaa24e95a65eda7fc82a5a5339e77269e80ef86da8364

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
77KB

MD5
a26117427adbd9b020931d9ea916a3e1

SHA1
6252badb4b0b1bd7e81e3920595a58bcaabcb93f

SHA256
9643b73ad622c2ca1792e4e7f36ee1e5b2906144f06ace7db823258777a2211d

SHA512
16674d6eb0a76c29dd0472fb340b1c0d68a323ec16061d431c2950c72d05d8b38c9abd3eef9ca66eb7f387c3ba8937d43f5dce1e7c0e8b5baa36e08f956bb59f

Download Submit
\Windows\SysWOW64\Npagjpcd.exe

Filesize
77KB

MD5
c50c4862d6721b28de8c2d236847af00

SHA1
1e74aedb424fd799320ac1df775f70d5b9c4e673

SHA256
2e0e0ac5f795dd69274d75473d274d14f20579c9c32ab70ba91e70a31f0392f5

SHA512
742412d38861195d26285dea8c86b2d2faff982da471087fb4de6a535d390b0bb38d32ed8d2fe51433ca27c3a13fbdc9b44ef4cdf030f8cff5661cb9a224b9e9

Download Submit
\Windows\SysWOW64\Npojdpef.exe

Filesize
77KB

MD5
5a789bdff35aca23ef28c2393d60877e

SHA1
fa42b8c0db3fe1c14fa22488b8c2e68581d6f5ec

SHA256
e4d6092d03bcf6d870d7f0945b8ff0485499a309dd923a40485a31fd824b15c7

SHA512
b6343f25b155c0ef17f474e94e652f1eb092111b70c4dfca539781843d9b5b9fef4aa25a1e33368d411cf71bcb3d70eb3b2814bb80a514c0f3d90b4263fd548d

Download Submit
memory/320-75-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/320-68-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/320-141-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/912-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/912-90-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/1072-134-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1072-138-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1072-122-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2344-62-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2344-54-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2344-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2592-107-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2592-140-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2604-139-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2604-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2604-115-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2616-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2648-146-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2648-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2648-35-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2776-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2776-27-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2848-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2848-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2848-17-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2848-18-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2976-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2976-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads