berbew | 5e991ce9b78bda66fdca7d6fc50a6271b98f8ba2ca976fffad24e7a9815d14d7

Analysis

max time kernel
93s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e991ce9b78bda66fdca7d6fc50a6271b98f8ba2ca976fffad24e7a9815d14d7.exe
Size

96KB
MD5

71e9b7446287eb9de5d6df32fbfbf57e
SHA1

51b20dc6ea8803cbf31492dc64d030910257d919
SHA256

5e991ce9b78bda66fdca7d6fc50a6271b98f8ba2ca976fffad24e7a9815d14d7
SHA512

a505787d1ea7fd8980db489a6a9413ed504e4638da89024e03b7c277ad15221161ea847d5c6fe3d2617b10b441cb417dc65f934ba4cd202d0ea0bb8e10fff052
SSDEEP

1536:GXrWW19rmfyhv0HEd1fjicysv0m7Q+Q32EGbaAU3VV/BOmnCMy0QiLiizHNQNdq:WrjeyhcHeRMmu32EGWAmV5OmnCMyELiY

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5e991ce9b78bda66fdca7d6fc50a6271b98f8ba2ca976fffad24e7a9815d14d7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	5e991ce9b78bda66fdca7d6fc50a6271b98f8ba2ca976fffad24e7a9815d14d7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 11 IoCs

pid	Process
3448	Delnin32.exe
4928	Dfnjafap.exe
908	Dkifae32.exe
3468	Dmgbnq32.exe
1412	Deokon32.exe
2156	Ddakjkqi.exe
1664	Dogogcpo.exe
1272	Daekdooc.exe
4452	Dhocqigp.exe
2752	Dknpmdfc.exe
2432	Dmllipeg.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	5e991ce9b78bda66fdca7d6fc50a6271b98f8ba2ca976fffad24e7a9815d14d7.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	5e991ce9b78bda66fdca7d6fc50a6271b98f8ba2ca976fffad24e7a9815d14d7.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	5e991ce9b78bda66fdca7d6fc50a6271b98f8ba2ca976fffad24e7a9815d14d7.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1692	2432	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e991ce9b78bda66fdca7d6fc50a6271b98f8ba2ca976fffad24e7a9815d14d7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	5e991ce9b78bda66fdca7d6fc50a6271b98f8ba2ca976fffad24e7a9815d14d7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5e991ce9b78bda66fdca7d6fc50a6271b98f8ba2ca976fffad24e7a9815d14d7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	5e991ce9b78bda66fdca7d6fc50a6271b98f8ba2ca976fffad24e7a9815d14d7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	5e991ce9b78bda66fdca7d6fc50a6271b98f8ba2ca976fffad24e7a9815d14d7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	5e991ce9b78bda66fdca7d6fc50a6271b98f8ba2ca976fffad24e7a9815d14d7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5e991ce9b78bda66fdca7d6fc50a6271b98f8ba2ca976fffad24e7a9815d14d7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 3448	2028	5e991ce9b78bda66fdca7d6fc50a6271b98f8ba2ca976fffad24e7a9815d14d7.exe	82
PID 2028 wrote to memory of 3448	2028	5e991ce9b78bda66fdca7d6fc50a6271b98f8ba2ca976fffad24e7a9815d14d7.exe	82
PID 2028 wrote to memory of 3448	2028	5e991ce9b78bda66fdca7d6fc50a6271b98f8ba2ca976fffad24e7a9815d14d7.exe	82
PID 3448 wrote to memory of 4928	3448	Delnin32.exe	83
PID 3448 wrote to memory of 4928	3448	Delnin32.exe	83
PID 3448 wrote to memory of 4928	3448	Delnin32.exe	83
PID 4928 wrote to memory of 908	4928	Dfnjafap.exe	84
PID 4928 wrote to memory of 908	4928	Dfnjafap.exe	84
PID 4928 wrote to memory of 908	4928	Dfnjafap.exe	84
PID 908 wrote to memory of 3468	908	Dkifae32.exe	85
PID 908 wrote to memory of 3468	908	Dkifae32.exe	85
PID 908 wrote to memory of 3468	908	Dkifae32.exe	85
PID 3468 wrote to memory of 1412	3468	Dmgbnq32.exe	86
PID 3468 wrote to memory of 1412	3468	Dmgbnq32.exe	86
PID 3468 wrote to memory of 1412	3468	Dmgbnq32.exe	86
PID 1412 wrote to memory of 2156	1412	Deokon32.exe	87
PID 1412 wrote to memory of 2156	1412	Deokon32.exe	87
PID 1412 wrote to memory of 2156	1412	Deokon32.exe	87
PID 2156 wrote to memory of 1664	2156	Ddakjkqi.exe	88
PID 2156 wrote to memory of 1664	2156	Ddakjkqi.exe	88
PID 2156 wrote to memory of 1664	2156	Ddakjkqi.exe	88
PID 1664 wrote to memory of 1272	1664	Dogogcpo.exe	89
PID 1664 wrote to memory of 1272	1664	Dogogcpo.exe	89
PID 1664 wrote to memory of 1272	1664	Dogogcpo.exe	89
PID 1272 wrote to memory of 4452	1272	Daekdooc.exe	90
PID 1272 wrote to memory of 4452	1272	Daekdooc.exe	90
PID 1272 wrote to memory of 4452	1272	Daekdooc.exe	90
PID 4452 wrote to memory of 2752	4452	Dhocqigp.exe	91
PID 4452 wrote to memory of 2752	4452	Dhocqigp.exe	91
PID 4452 wrote to memory of 2752	4452	Dhocqigp.exe	91
PID 2752 wrote to memory of 2432	2752	Dknpmdfc.exe	92
PID 2752 wrote to memory of 2432	2752	Dknpmdfc.exe	92
PID 2752 wrote to memory of 2432	2752	Dknpmdfc.exe	92

C:\Users\Admin\AppData\Local\Temp\5e991ce9b78bda66fdca7d6fc50a6271b98f8ba2ca976fffad24e7a9815d14d7.exe
"C:\Users\Admin\AppData\Local\Temp\5e991ce9b78bda66fdca7d6fc50a6271b98f8ba2ca976fffad24e7a9815d14d7.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\Delnin32.exe
  C:\Windows\system32\Delnin32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Windows\SysWOW64\Dfnjafap.exe
    C:\Windows\system32\Dfnjafap.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Windows\SysWOW64\Dkifae32.exe
      C:\Windows\system32\Dkifae32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:908
    - - C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3468
      - C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 408
        13⤵
        Program crash
        
        PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2432 -ip 2432
1⤵
PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amfoeb32.dll

Filesize
7KB

MD5
793610905252d13a9b9a2d772a05c90c

SHA1
8881e978e07dc13729d996c526510a74b9f5a109

SHA256
50eb8eb5bd607aa178bad1c5d675c78ad232195a718bb1fa77405a1b80dda968

SHA512
ae44d7c37bae107b5abdd51ac636c9a79dc6285a75004ff390468fdb5a70f52e413635a6987cb8d369f0fb81ae507509d5d2719611a3b2e4e435dd5b0fa1b8ab

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
96KB

MD5
159c81c6c8a40ce665708b201faa86ca

SHA1
5983916a0c357380e8031e08238912761f6922c2

SHA256
01963eca2f7a4ae82270a5a6e28a6838ade7ea8e4741ebc03e15c9cd3933c5a1

SHA512
6660601466ea904ebedee643b4e1345d1a8eb2c7931b49e082db26132eedc1bcec15260332495ae0bd2b825d44db5cc029fddc361174d4a313c533ac52820b5e

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
96KB

MD5
55a4f0a306cfe06590223d41062ac792

SHA1
53388ebb7691ddb79ac16cf5ef251de66137ada7

SHA256
6c36a2c03958f6ea737ccfaadc4169c8556ca8030e560277f5d489e006512b8c

SHA512
af1285be98fe5ecd722a76d44b26d467c0d5ec2d09fa77bf25be24cbbd35da0c439f619ad82a5925f92a4851fd5e7c2a5c81932d3948996f50522b4f1b4de590

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
96KB

MD5
c6d4d4b60840ac4cad999940852d2885

SHA1
4b7329bb5c577732676cb1ff7bf1fd0f475ddd1e

SHA256
e9213164ea16d289b52a927aec7c89bd13ea4bb3c167f5eddcf370193730afff

SHA512
2897c7390ba19a26e1fd281b2b1236f1a362d301a403fd30fb59214002df5565d90be26add56379388809038422f33070f11cabf898dcbcfc17fcac800e09de6

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
96KB

MD5
7c40e060efaf0bee4817491125509f37

SHA1
fcf20e190be00a679ba9e22957d4fd53cf152352

SHA256
b37a97f92039bc2c12bf976c03d7ec358ba60faeb4f0aab2407fa152cdf4473c

SHA512
a5862ef256cb1d5a7cd4d825faf60c233e0998f24ac2c48a2ed83658fb14924e6843aaf64bb4dceaaed32f22c543aac3008ed9ce9209357ca6a41d4991f6b0a5

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
96KB

MD5
3edc76cd2dce262daf7fb342ea9fd046

SHA1
2102ce42f9471ae8e5105d9fa83a1371893d5112

SHA256
7095e1e8145702ffa83a8187374f6357df5b2aef007342c62c6804826003b9da

SHA512
72691ec7e008e57376b59ab537714380fd6782463ad19eaea99d88ffb6bae417d938e9b2870107adfaa72ccafc829806ab13f45ac16a253dacc78e0eb848c5cc

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
96KB

MD5
ec5924589d2715ec50e105a66a54598c

SHA1
480bbfcde38bfe55e47e306058dbd7403a89bbad

SHA256
10ddccc893f2b0ef1578c36b11b6787f1c69d706be0d2280295402c0c2fda3ba

SHA512
b2c174461f81d7ccaf6d17b909dee2594822ef07192b4fb17f509cdeff9d7c79b60dee2e36cecfb826e265d76edc249ad0c7e05cba672d62a6fd10a3d9007954

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
96KB

MD5
fc4222165d06f1884704cf63e04be8a6

SHA1
e0a0ae26a46b2c81062e24421cad2c31c455e39b

SHA256
32428df42ff012268ac95635a561e6bcca8ebe5fbb8010dbb3c5b148040a6f99

SHA512
5e1449272eca3e060531eb1a5068cc19ffc27aa5526bba65689d46bdec31f389f1ff50cc42bf48bcbc08876c082ca8c6e3a0262431fa6520d4c87df193bca95a

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
96KB

MD5
19f0955b6a324bb08734ff87fb2b282e

SHA1
5dbaaf5f2cf1745f7f16df96f8166dc7667018dd

SHA256
06a454abe6e54b5ed2f2a5ff984ae933c2219a45fb87ec2dd6e201d996eb3f08

SHA512
45c131c1732aaeee97c2bfe54466b343b2e38201e1cfde0e9076b9b2ea550bdf45c74b48ebd358ef022c93b5fcfe1f4a84b4a44a90d3246cc9cc52b77b050c05

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
96KB

MD5
c50ec27610b49401e533d06c19498c8e

SHA1
21f7fc7306a9b28057c0693682af200cfbea4e3c

SHA256
ee530032ab927d30cf80e4a3d210ce9cef36e65b2a8232194b96ce7cb28eb3b9

SHA512
a82b3ca0fd4556198b26782a1025eed575f0800ce40ef5f57d9a029c4cfaef0f5d611e167469263d09ce298344a856be8bd26b7c28170522b4ff4cbd6f6b9a36

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
96KB

MD5
69d138fcae18e321673f257d58d4effc

SHA1
ee6fd83e3fdc15a5116ba9b86fad81060b317495

SHA256
6b3025f7e0a2be5f6c38aa8b6d4cbead4868ee64d41866e776ed4a1db9b7ae7c

SHA512
709b0cf8c3a6cebd4ae82e2c9de4de2975f885b76e27453920ef09bab5743cd8b53801bf20fe0df71c14f67f88318c063faab148ff9847c10a6f74de8e355726

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
96KB

MD5
e64ae50e7576caaf8aad6231c93bb8dd

SHA1
19a98526dff027feb295267197f83c367fff6d94

SHA256
a178055992b1fdee7d92fe39f1a38a1c7020567a72f4666e9fe8f02038b60790

SHA512
430c731e8ba4d16f09c1bda1e2faed1dad96c3218c1a9763bbe88f17c763b33b17ed9f6b2a97f73cf084934d010206c60fc690d490f21dd9de3a343fb9fc3421

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
96KB

MD5
cd04999138b338f068e55d196a2c349d

SHA1
0d6577d8a15b25a5c9d0d3a9e95a9f32d0516a2c

SHA256
8e231f65b2fa99284fee1581cbc758fde85ea92509352ce710d676dc03330367

SHA512
d08de84aaa907c6db8b839e45c0ddb7356aac33f470ab0d385c48c3b35b598c6fe486160107e24fa658fabe161b24f86536b973b5f99a219ac5feb75f45440dc

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
c515f6d2e53e863c86d84f45c90382c3

SHA1
af7c048a1e12b2cf1ebaa402ff3c4bf4d7bdbbb7

SHA256
cfa555144625f9e0557c9c691e8e9671d309a8b7a57a4563286cab3d008709e2

SHA512
7bb7c0504b73c7f8947a5e7598daa9a8c0c37d56afe06b9d65f74613ba27a19e1381d654020ac5380c965cbcd0b09662adb687689e8382caca663659d7db4137

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
96KB

MD5
1224bb7cec6c3d3efd9a11dceda7c884

SHA1
91827897259ce0737cc4d3e1757e987c2d83d092

SHA256
ff2bba33e1249bfc2762e8208471257d29223cb0d239a893a7bd4934a63bd1db

SHA512
9554833685bcf9966f48a2d48f9a7a5c67a3bd2ea215ccd16988a0f330bb467e297ccf2d15eb9296a086c13220234cb18b575f61b896b8efda48dd0bfdcf1e92

Download Submit
memory/908-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/908-99-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1272-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1272-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1412-100-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1412-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1664-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1664-96-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2028-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2028-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2156-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2156-97-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2432-90-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2432-92-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2752-81-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2752-93-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3448-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3448-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3468-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3468-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4452-94-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4452-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4928-91-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4928-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads