berbew | 32134148b39d880ee5e0862121ed5e1612106db3974c944fad7250ab5892e2e9

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32134148b39d880ee5e0862121ed5e1612106db3974c944fad7250ab5892e2e9N.exe
Size

64KB
MD5

413020776698bf7717c9e2db46e5da20
SHA1

89c2aecfb1d37b51f959b5b19d19fc4823237837
SHA256

32134148b39d880ee5e0862121ed5e1612106db3974c944fad7250ab5892e2e9
SHA512

da6e10790a74499ab1c8c3570167eb9cfc066897bed893e9884ab5c80fafe1c1528852624b072b9ae789b2a52d897568d5f14b87de7ee31dcab879c7f7498c84
SSDEEP

1536:cNBgGT6fA4w3AlRRdfXfySqfvoNV1iL+iALMH6:QBLWYhAl3dfXfOfQNV1iL+9Ma

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	32134148b39d880ee5e0862121ed5e1612106db3974c944fad7250ab5892e2e9N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplmop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	32134148b39d880ee5e0862121ed5e1612106db3974c944fad7250ab5892e2e9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nekbmgcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nigome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngfflj32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 10 IoCs

pid	Process
2880	Nplmop32.exe
2708	Ngfflj32.exe
2616	Nmpnhdfc.exe
2344	Nlcnda32.exe
780	Nekbmgcn.exe
912	Nigome32.exe
2592	Npagjpcd.exe
2600	Ncpcfkbg.exe
1072	Niikceid.exe
2960	Nlhgoqhh.exe

Loads dropped DLL 24 IoCs

pid	Process
2856	32134148b39d880ee5e0862121ed5e1612106db3974c944fad7250ab5892e2e9N.exe
2856	32134148b39d880ee5e0862121ed5e1612106db3974c944fad7250ab5892e2e9N.exe
2880	Nplmop32.exe
2880	Nplmop32.exe
2708	Ngfflj32.exe
2708	Ngfflj32.exe
2616	Nmpnhdfc.exe
2616	Nmpnhdfc.exe
2344	Nlcnda32.exe
2344	Nlcnda32.exe
780	Nekbmgcn.exe
780	Nekbmgcn.exe
912	Nigome32.exe
912	Nigome32.exe
2592	Npagjpcd.exe
2592	Npagjpcd.exe
2600	Ncpcfkbg.exe
2600	Ncpcfkbg.exe
1072	Niikceid.exe
1072	Niikceid.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nigome32.exe	Nekbmgcn.exe
File created	C:\Windows\SysWOW64\Mahqjm32.dll	Nigome32.exe
File opened for modification	C:\Windows\SysWOW64\Niikceid.exe	Ncpcfkbg.exe
File created	C:\Windows\SysWOW64\Nmpnhdfc.exe	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Lmnppf32.dll	Ngfflj32.exe
File opened for modification	C:\Windows\SysWOW64\Nlcnda32.exe	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Nlcnda32.exe	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Ogjgkqaa.dll	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Nekbmgcn.exe	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Oqaedifk.dll	Nekbmgcn.exe
File created	C:\Windows\SysWOW64\Nplmop32.exe	32134148b39d880ee5e0862121ed5e1612106db3974c944fad7250ab5892e2e9N.exe
File created	C:\Windows\SysWOW64\Ngfflj32.exe	Nplmop32.exe
File opened for modification	C:\Windows\SysWOW64\Ngfflj32.exe	Nplmop32.exe
File created	C:\Windows\SysWOW64\Npagjpcd.exe	Nigome32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Niikceid.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Niikceid.exe
File created	C:\Windows\SysWOW64\Ncpcfkbg.exe	Npagjpcd.exe
File opened for modification	C:\Windows\SysWOW64\Ncpcfkbg.exe	Npagjpcd.exe
File opened for modification	C:\Windows\SysWOW64\Nmpnhdfc.exe	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Pfdmil32.dll	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Niikceid.exe
File created	C:\Windows\SysWOW64\Niikceid.exe	Ncpcfkbg.exe
File opened for modification	C:\Windows\SysWOW64\Nplmop32.exe	32134148b39d880ee5e0862121ed5e1612106db3974c944fad7250ab5892e2e9N.exe
File created	C:\Windows\SysWOW64\Hljdna32.dll	Nplmop32.exe
File opened for modification	C:\Windows\SysWOW64\Npagjpcd.exe	Nigome32.exe
File opened for modification	C:\Windows\SysWOW64\Nekbmgcn.exe	Nlcnda32.exe
File opened for modification	C:\Windows\SysWOW64\Nigome32.exe	Nekbmgcn.exe
File created	C:\Windows\SysWOW64\Incbogkn.dll	32134148b39d880ee5e0862121ed5e1612106db3974c944fad7250ab5892e2e9N.exe
File created	C:\Windows\SysWOW64\Pjclpeak.dll	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Dnlbnp32.dll	Ncpcfkbg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1764	2960	WerFault.exe	39

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmpnhdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npagjpcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpcfkbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32134148b39d880ee5e0862121ed5e1612106db3974c944fad7250ab5892e2e9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngfflj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nekbmgcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nigome32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niikceid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nplmop32.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdmil32.dll"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incbogkn.dll"	32134148b39d880ee5e0862121ed5e1612106db3974c944fad7250ab5892e2e9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjgkqaa.dll"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	32134148b39d880ee5e0862121ed5e1612106db3974c944fad7250ab5892e2e9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	32134148b39d880ee5e0862121ed5e1612106db3974c944fad7250ab5892e2e9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niikceid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	32134148b39d880ee5e0862121ed5e1612106db3974c944fad7250ab5892e2e9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahqjm32.dll"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Niikceid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	32134148b39d880ee5e0862121ed5e1612106db3974c944fad7250ab5892e2e9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnppf32.dll"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nigome32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niikceid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	32134148b39d880ee5e0862121ed5e1612106db3974c944fad7250ab5892e2e9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjclpeak.dll"	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqaedifk.dll"	Nekbmgcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nigome32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hljdna32.dll"	Nplmop32.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2880	2856	32134148b39d880ee5e0862121ed5e1612106db3974c944fad7250ab5892e2e9N.exe	30
PID 2856 wrote to memory of 2880	2856	32134148b39d880ee5e0862121ed5e1612106db3974c944fad7250ab5892e2e9N.exe	30
PID 2856 wrote to memory of 2880	2856	32134148b39d880ee5e0862121ed5e1612106db3974c944fad7250ab5892e2e9N.exe	30
PID 2856 wrote to memory of 2880	2856	32134148b39d880ee5e0862121ed5e1612106db3974c944fad7250ab5892e2e9N.exe	30
PID 2880 wrote to memory of 2708	2880	Nplmop32.exe	31
PID 2880 wrote to memory of 2708	2880	Nplmop32.exe	31
PID 2880 wrote to memory of 2708	2880	Nplmop32.exe	31
PID 2880 wrote to memory of 2708	2880	Nplmop32.exe	31
PID 2708 wrote to memory of 2616	2708	Ngfflj32.exe	32
PID 2708 wrote to memory of 2616	2708	Ngfflj32.exe	32
PID 2708 wrote to memory of 2616	2708	Ngfflj32.exe	32
PID 2708 wrote to memory of 2616	2708	Ngfflj32.exe	32
PID 2616 wrote to memory of 2344	2616	Nmpnhdfc.exe	33
PID 2616 wrote to memory of 2344	2616	Nmpnhdfc.exe	33
PID 2616 wrote to memory of 2344	2616	Nmpnhdfc.exe	33
PID 2616 wrote to memory of 2344	2616	Nmpnhdfc.exe	33
PID 2344 wrote to memory of 780	2344	Nlcnda32.exe	34
PID 2344 wrote to memory of 780	2344	Nlcnda32.exe	34
PID 2344 wrote to memory of 780	2344	Nlcnda32.exe	34
PID 2344 wrote to memory of 780	2344	Nlcnda32.exe	34
PID 780 wrote to memory of 912	780	Nekbmgcn.exe	35
PID 780 wrote to memory of 912	780	Nekbmgcn.exe	35
PID 780 wrote to memory of 912	780	Nekbmgcn.exe	35
PID 780 wrote to memory of 912	780	Nekbmgcn.exe	35
PID 912 wrote to memory of 2592	912	Nigome32.exe	36
PID 912 wrote to memory of 2592	912	Nigome32.exe	36
PID 912 wrote to memory of 2592	912	Nigome32.exe	36
PID 912 wrote to memory of 2592	912	Nigome32.exe	36
PID 2592 wrote to memory of 2600	2592	Npagjpcd.exe	37
PID 2592 wrote to memory of 2600	2592	Npagjpcd.exe	37
PID 2592 wrote to memory of 2600	2592	Npagjpcd.exe	37
PID 2592 wrote to memory of 2600	2592	Npagjpcd.exe	37
PID 2600 wrote to memory of 1072	2600	Ncpcfkbg.exe	38
PID 2600 wrote to memory of 1072	2600	Ncpcfkbg.exe	38
PID 2600 wrote to memory of 1072	2600	Ncpcfkbg.exe	38
PID 2600 wrote to memory of 1072	2600	Ncpcfkbg.exe	38
PID 1072 wrote to memory of 2960	1072	Niikceid.exe	39
PID 1072 wrote to memory of 2960	1072	Niikceid.exe	39
PID 1072 wrote to memory of 2960	1072	Niikceid.exe	39
PID 1072 wrote to memory of 2960	1072	Niikceid.exe	39
PID 2960 wrote to memory of 1764	2960	Nlhgoqhh.exe	40
PID 2960 wrote to memory of 1764	2960	Nlhgoqhh.exe	40
PID 2960 wrote to memory of 1764	2960	Nlhgoqhh.exe	40
PID 2960 wrote to memory of 1764	2960	Nlhgoqhh.exe	40

C:\Users\Admin\AppData\Local\Temp\32134148b39d880ee5e0862121ed5e1612106db3974c944fad7250ab5892e2e9N.exe
"C:\Users\Admin\AppData\Local\Temp\32134148b39d880ee5e0862121ed5e1612106db3974c944fad7250ab5892e2e9N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\SysWOW64\Nplmop32.exe
  C:\Windows\system32\Nplmop32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\Ngfflj32.exe
    C:\Windows\system32\Ngfflj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\Nmpnhdfc.exe
      C:\Windows\system32\Nmpnhdfc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\SysWOW64\Nlcnda32.exe
        
        C:\Windows\system32\Nlcnda32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
      - C:\Windows\SysWOW64\Nekbmgcn.exe
        
        C:\Windows\system32\Nekbmgcn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Nigome32.exe
        
        C:\Windows\system32\Nigome32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\SysWOW64\Npagjpcd.exe
        
        C:\Windows\system32\Npagjpcd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Ncpcfkbg.exe
        
        C:\Windows\system32\Ncpcfkbg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Niikceid.exe
        
        C:\Windows\system32\Niikceid.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 140
        12⤵
        Loads dropped DLL
        Program crash
        
        PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
64KB

MD5
6fec6ff1bf040e1e4ab87429cf119cad

SHA1
7e1dfe822096ca7d9c5026aad82804df6c88505e

SHA256
4812458cdec9ed25019459d46e8cc43d187afe7b3a420cee7138828a3d9d6cec

SHA512
51745139b7aa9838250c215a035d0475100a68c97a114f922869ed2046961c3d94904c5b0e60e71c14922dd00b7c0d02187daee9b3c166595c081d2419942f12

Download Submit
C:\Windows\SysWOW64\Ngfflj32.exe

Filesize
64KB

MD5
d06ae737df8812ec8e172d7bcab5f310

SHA1
c57c2e1a889663daa3d94a35e2616bdba6bbc3cc

SHA256
dc0abe230b8cc3868b37494d853ccaae103eb653e117a8736fd44c586c326c21

SHA512
2ab0e20569ac44fe72b9cdf4af7a22b8692f85ee6efd1abf038c89aa3c70143240bf68e92275044069cd1cd211c7cc7ba19026dc49601b69ef274cf75dc8bfc2

Download Submit
C:\Windows\SysWOW64\Nplmop32.exe

Filesize
64KB

MD5
361f4844286fb4e5b482a440dc752228

SHA1
598a2d76c9555ad19405a5a5140ea8a0531e0d17

SHA256
afa02a21cc16976f842abc4aad4f94c6e290065a245d33631efd1ccb0b135b50

SHA512
5a54d351ddbc111b101d07186868e041bf3e13a58e1536d95635be148854b7944adfb60d3559894af32f0e7830ed1c87babd94b5a86de604141e1b9b3ffc8540

Download Submit
\Windows\SysWOW64\Nekbmgcn.exe

Filesize
64KB

MD5
30a7c49400f7c7ff1292a83b7f329054

SHA1
5cea6abc7b394c9c485dd0aaa2614f5e4cc308c0

SHA256
351b43b78e5e76703f7b02082fae4268b26dfec253748129f1a55261714a05e7

SHA512
dcbbd70a149c26288aaed9dacc60eb0dfcd513fd11cba5fae7817aac65401f357207e58674e83835d8af8a373aafe714b2da4530777f2383c4ebafb254c95504

Download Submit
\Windows\SysWOW64\Nigome32.exe

Filesize
64KB

MD5
498440d7885a5e9f27c8ecb77a204980

SHA1
95bb4fbf9a7c844ab925e99c2885bf8677d8e085

SHA256
84fec157d5879e8f8f1178dfc4d552dcbc3b6153a7f449036ebc758be628e4d2

SHA512
09f77e4ac64f7772d0db81b99dbe34e949d93cf1195b733eb64c1ced838201edb5c283bcd57bf776ace97cb2449c25396576e289bb92441c5d9d230252b21798

Download Submit
\Windows\SysWOW64\Niikceid.exe

Filesize
64KB

MD5
3202a2f86835bb27f6bd390f778e2813

SHA1
ea2beec1fc87700bfa024b3b040b856205e2a3fe

SHA256
56b90be9dc71cbcedb80859c66ec2f8c0b937b35491495f60950250b48a615e3

SHA512
b0933fe3af57995304a61ae1ec78fc005bde7437c8887ba9ba58d7c5eef8b5128df430a3764aafdd71441a0d0fd0d802c01e7f01b7e7f73972ab99d92ac900fb

Download Submit
\Windows\SysWOW64\Nlcnda32.exe

Filesize
64KB

MD5
4a1a1768074cb4fba9548c679c067fbc

SHA1
e561e1b5df611d5fb11fc4482ca641a05b69ac4b

SHA256
57f76fdee669448961121044f3f6576e52dc2bb76975fab4f8add219eefd06ba

SHA512
887388f19a2f0e7cb52634043dc56fe4644bea80ef6c81d08f3c72c2cda3355f7dfcfce03d6ff9203f0a9919c5448c43517ee61b5978d22a681e35ec07426633

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
64KB

MD5
208ec4f5bc5e84ce742b589c8090eaab

SHA1
d7640483d4ad6f4d32ce24335a227905b162786a

SHA256
5eb1a6e139c09122bb8723d4cb4e0d7ca486f992f4363ae1b4ade9e8e06a1e7d

SHA512
b20b5c3b9a7ff39360d04a457c9615384decc6de0d1d466853792989d1da53726c95ab8235a0e1ce1aeef3436fd17d23fe6dc8939e5b830c40f77fbf26749095

Download Submit
\Windows\SysWOW64\Nmpnhdfc.exe

Filesize
64KB

MD5
268bd91af8ad0159814a987561cbc610

SHA1
f742c3b9db1a14df3bd6a04e3c83a690381b763f

SHA256
7db56c99afb4245e45a1e1dcfcf79779b6d7e0eb90b2c780351eea23690f1d5e

SHA512
39456e48ae71d975e9b5e15d05cb287fb915beba59d0286c696c45cfa7848a3818f27e5fa248c6fd0467ffa6478244d32d1dd6fef08039af139e6fa36a0ccb80

Download Submit
\Windows\SysWOW64\Npagjpcd.exe

Filesize
64KB

MD5
c17de4f7e7e942f815fe814245764412

SHA1
845c329c3fb8ef26c4d35a9bce0b1f4090b1b30d

SHA256
1340e72f45b4d70c94da922e972fbfd537258260de986ac687f46a61ebcc5c14

SHA512
88b2f2588aadab074c6328f15c1f8650b61932ad0e2c123d57116ccd158b1f6542535f6cf94a5c3437a0c9d3760f6e7df841a81f738f5d7ead55ba7e8681c372

Download Submit
memory/780-142-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/912-80-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/912-143-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/912-87-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/1072-146-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2344-141-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2344-54-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2344-66-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2592-144-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2592-94-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2600-115-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2600-145-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2600-107-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-52-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2616-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2708-140-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2708-27-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2856-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2856-12-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2856-13-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2856-138-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2880-139-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2880-14-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2960-133-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2960-147-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads