berbew | 8163cffd8e992fc035226df595236277862535e49631908edf3d0b7c9bfb8dc2

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-10-2024 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8163cffd8e992fc035226df595236277862535e49631908edf3d0b7c9bfb8dc2N.exe
Size

300KB
MD5

59d7d273debede907571ec2138734360
SHA1

c183367c1ea2cc5645fd6db1a1a8ac6ea1244900
SHA256

8163cffd8e992fc035226df595236277862535e49631908edf3d0b7c9bfb8dc2
SHA512

109dd0078b8d34f807484dc8492ffc28b6beb804ced134b5cbd55480e9893c9b8d81321a99a31f0c331538c754c6efca756ac7434ce1afa93517bf06c3e1cd48
SSDEEP

6144:Q5i5htHl9pS5tT7B9mo436zthGEU5tT7B9mo43N:Q5iFHly5tHKo4othW5tHKo4d

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blghhahp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcciiope.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alcbno32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagafeai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bakkad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdcdnm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkigb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bakkad32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chglca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcciiope.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dffopi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnflff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkigb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpble32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdcdnm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alcbno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagafeai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blghhahp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpble32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8163cffd8e992fc035226df595236277862535e49631908edf3d0b7c9bfb8dc2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8163cffd8e992fc035226df595236277862535e49631908edf3d0b7c9bfb8dc2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnflff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chglca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dffopi32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 12 IoCs

pid	Process
1748	Qnflff32.exe
2892	Qdcdnm32.exe
2720	Qmkigb32.exe
2744	Alcbno32.exe
2832	Bagafeai.exe
2604	Bakkad32.exe
2068	Blghhahp.exe
2360	Cjpble32.exe
2188	Chglca32.exe
1532	Dcciiope.exe
2084	Dffopi32.exe
524	Dbmpejph.exe

Loads dropped DLL 28 IoCs

pid	Process
1088	8163cffd8e992fc035226df595236277862535e49631908edf3d0b7c9bfb8dc2N.exe
1088	8163cffd8e992fc035226df595236277862535e49631908edf3d0b7c9bfb8dc2N.exe
1748	Qnflff32.exe
1748	Qnflff32.exe
2892	Qdcdnm32.exe
2892	Qdcdnm32.exe
2720	Qmkigb32.exe
2720	Qmkigb32.exe
2744	Alcbno32.exe
2744	Alcbno32.exe
2832	Bagafeai.exe
2832	Bagafeai.exe
2604	Bakkad32.exe
2604	Bakkad32.exe
2068	Blghhahp.exe
2068	Blghhahp.exe
2360	Cjpble32.exe
2360	Cjpble32.exe
2188	Chglca32.exe
2188	Chglca32.exe
1532	Dcciiope.exe
1532	Dcciiope.exe
2084	Dffopi32.exe
2084	Dffopi32.exe
2096	WerFault.exe
2096	WerFault.exe
2096	WerFault.exe
2096	WerFault.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Eempnnjn.dll	Bakkad32.exe
File created	C:\Windows\SysWOW64\Ejidce32.dll	Blghhahp.exe
File created	C:\Windows\SysWOW64\Dcciiope.exe	Chglca32.exe
File created	C:\Windows\SysWOW64\Bakkad32.exe	Bagafeai.exe
File opened for modification	C:\Windows\SysWOW64\Bakkad32.exe	Bagafeai.exe
File created	C:\Windows\SysWOW64\Qmkigb32.exe	Qdcdnm32.exe
File opened for modification	C:\Windows\SysWOW64\Bagafeai.exe	Alcbno32.exe
File created	C:\Windows\SysWOW64\Cjpble32.exe	Blghhahp.exe
File created	C:\Windows\SysWOW64\Dffopi32.exe	Dcciiope.exe
File created	C:\Windows\SysWOW64\Jajgam32.dll	Dcciiope.exe
File opened for modification	C:\Windows\SysWOW64\Dbmpejph.exe	Dffopi32.exe
File opened for modification	C:\Windows\SysWOW64\Qnflff32.exe	8163cffd8e992fc035226df595236277862535e49631908edf3d0b7c9bfb8dc2N.exe
File created	C:\Windows\SysWOW64\Qdcdnm32.exe	Qnflff32.exe
File created	C:\Windows\SysWOW64\Klhjlbpq.dll	Dffopi32.exe
File created	C:\Windows\SysWOW64\Fkfmba32.dll	Qmkigb32.exe
File created	C:\Windows\SysWOW64\Bagafeai.exe	Alcbno32.exe
File opened for modification	C:\Windows\SysWOW64\Dffopi32.exe	Dcciiope.exe
File opened for modification	C:\Windows\SysWOW64\Qdcdnm32.exe	Qnflff32.exe
File created	C:\Windows\SysWOW64\Dokccf32.dll	Qdcdnm32.exe
File created	C:\Windows\SysWOW64\Blghhahp.exe	Bakkad32.exe
File opened for modification	C:\Windows\SysWOW64\Chglca32.exe	Cjpble32.exe
File created	C:\Windows\SysWOW64\Ceeaqa32.dll	Cjpble32.exe
File opened for modification	C:\Windows\SysWOW64\Dcciiope.exe	Chglca32.exe
File created	C:\Windows\SysWOW64\Aladkaic.dll	Chglca32.exe
File created	C:\Windows\SysWOW64\Cmcblpdg.dll	8163cffd8e992fc035226df595236277862535e49631908edf3d0b7c9bfb8dc2N.exe
File opened for modification	C:\Windows\SysWOW64\Alcbno32.exe	Qmkigb32.exe
File created	C:\Windows\SysWOW64\Gnaqdnnd.dll	Bagafeai.exe
File opened for modification	C:\Windows\SysWOW64\Cjpble32.exe	Blghhahp.exe
File created	C:\Windows\SysWOW64\Chglca32.exe	Cjpble32.exe
File created	C:\Windows\SysWOW64\Qnflff32.exe	8163cffd8e992fc035226df595236277862535e49631908edf3d0b7c9bfb8dc2N.exe
File created	C:\Windows\SysWOW64\Pfgboeij.dll	Alcbno32.exe
File created	C:\Windows\SysWOW64\Dbmpejph.exe	Dffopi32.exe
File created	C:\Windows\SysWOW64\Alcbno32.exe	Qmkigb32.exe
File opened for modification	C:\Windows\SysWOW64\Blghhahp.exe	Bakkad32.exe
File created	C:\Windows\SysWOW64\Hebkjd32.dll	Qnflff32.exe
File opened for modification	C:\Windows\SysWOW64\Qmkigb32.exe	Qdcdnm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2096	524	WerFault.exe	40

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnflff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkigb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alcbno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagafeai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chglca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dffopi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8163cffd8e992fc035226df595236277862535e49631908edf3d0b7c9bfb8dc2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdcdnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bakkad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blghhahp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpble32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcciiope.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbmpejph.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagafeai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dokccf32.dll"	Qdcdnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmkigb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Alcbno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blghhahp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceeaqa32.dll"	Cjpble32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpble32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aladkaic.dll"	Chglca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	8163cffd8e992fc035226df595236277862535e49631908edf3d0b7c9bfb8dc2N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	8163cffd8e992fc035226df595236277862535e49631908edf3d0b7c9bfb8dc2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmcblpdg.dll"	8163cffd8e992fc035226df595236277862535e49631908edf3d0b7c9bfb8dc2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blghhahp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chglca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dffopi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	8163cffd8e992fc035226df595236277862535e49631908edf3d0b7c9bfb8dc2N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnflff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hebkjd32.dll"	Qnflff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alcbno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bakkad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chglca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	8163cffd8e992fc035226df595236277862535e49631908edf3d0b7c9bfb8dc2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdcdnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmkigb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfgboeij.dll"	Alcbno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagafeai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnaqdnnd.dll"	Bagafeai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jajgam32.dll"	Dcciiope.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnflff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdcdnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfmba32.dll"	Qmkigb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eempnnjn.dll"	Bakkad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhjlbpq.dll"	Dffopi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	8163cffd8e992fc035226df595236277862535e49631908edf3d0b7c9bfb8dc2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bakkad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejidce32.dll"	Blghhahp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpble32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcciiope.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcciiope.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dffopi32.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 1748	1088	8163cffd8e992fc035226df595236277862535e49631908edf3d0b7c9bfb8dc2N.exe	29
PID 1088 wrote to memory of 1748	1088	8163cffd8e992fc035226df595236277862535e49631908edf3d0b7c9bfb8dc2N.exe	29
PID 1088 wrote to memory of 1748	1088	8163cffd8e992fc035226df595236277862535e49631908edf3d0b7c9bfb8dc2N.exe	29
PID 1088 wrote to memory of 1748	1088	8163cffd8e992fc035226df595236277862535e49631908edf3d0b7c9bfb8dc2N.exe	29
PID 1748 wrote to memory of 2892	1748	Qnflff32.exe	30
PID 1748 wrote to memory of 2892	1748	Qnflff32.exe	30
PID 1748 wrote to memory of 2892	1748	Qnflff32.exe	30
PID 1748 wrote to memory of 2892	1748	Qnflff32.exe	30
PID 2892 wrote to memory of 2720	2892	Qdcdnm32.exe	31
PID 2892 wrote to memory of 2720	2892	Qdcdnm32.exe	31
PID 2892 wrote to memory of 2720	2892	Qdcdnm32.exe	31
PID 2892 wrote to memory of 2720	2892	Qdcdnm32.exe	31
PID 2720 wrote to memory of 2744	2720	Qmkigb32.exe	32
PID 2720 wrote to memory of 2744	2720	Qmkigb32.exe	32
PID 2720 wrote to memory of 2744	2720	Qmkigb32.exe	32
PID 2720 wrote to memory of 2744	2720	Qmkigb32.exe	32
PID 2744 wrote to memory of 2832	2744	Alcbno32.exe	33
PID 2744 wrote to memory of 2832	2744	Alcbno32.exe	33
PID 2744 wrote to memory of 2832	2744	Alcbno32.exe	33
PID 2744 wrote to memory of 2832	2744	Alcbno32.exe	33
PID 2832 wrote to memory of 2604	2832	Bagafeai.exe	34
PID 2832 wrote to memory of 2604	2832	Bagafeai.exe	34
PID 2832 wrote to memory of 2604	2832	Bagafeai.exe	34
PID 2832 wrote to memory of 2604	2832	Bagafeai.exe	34
PID 2604 wrote to memory of 2068	2604	Bakkad32.exe	35
PID 2604 wrote to memory of 2068	2604	Bakkad32.exe	35
PID 2604 wrote to memory of 2068	2604	Bakkad32.exe	35
PID 2604 wrote to memory of 2068	2604	Bakkad32.exe	35
PID 2068 wrote to memory of 2360	2068	Blghhahp.exe	36
PID 2068 wrote to memory of 2360	2068	Blghhahp.exe	36
PID 2068 wrote to memory of 2360	2068	Blghhahp.exe	36
PID 2068 wrote to memory of 2360	2068	Blghhahp.exe	36
PID 2360 wrote to memory of 2188	2360	Cjpble32.exe	37
PID 2360 wrote to memory of 2188	2360	Cjpble32.exe	37
PID 2360 wrote to memory of 2188	2360	Cjpble32.exe	37
PID 2360 wrote to memory of 2188	2360	Cjpble32.exe	37
PID 2188 wrote to memory of 1532	2188	Chglca32.exe	38
PID 2188 wrote to memory of 1532	2188	Chglca32.exe	38
PID 2188 wrote to memory of 1532	2188	Chglca32.exe	38
PID 2188 wrote to memory of 1532	2188	Chglca32.exe	38
PID 1532 wrote to memory of 2084	1532	Dcciiope.exe	39
PID 1532 wrote to memory of 2084	1532	Dcciiope.exe	39
PID 1532 wrote to memory of 2084	1532	Dcciiope.exe	39
PID 1532 wrote to memory of 2084	1532	Dcciiope.exe	39
PID 2084 wrote to memory of 524	2084	Dffopi32.exe	40
PID 2084 wrote to memory of 524	2084	Dffopi32.exe	40
PID 2084 wrote to memory of 524	2084	Dffopi32.exe	40
PID 2084 wrote to memory of 524	2084	Dffopi32.exe	40
PID 524 wrote to memory of 2096	524	Dbmpejph.exe	41
PID 524 wrote to memory of 2096	524	Dbmpejph.exe	41
PID 524 wrote to memory of 2096	524	Dbmpejph.exe	41
PID 524 wrote to memory of 2096	524	Dbmpejph.exe	41

C:\Users\Admin\AppData\Local\Temp\8163cffd8e992fc035226df595236277862535e49631908edf3d0b7c9bfb8dc2N.exe
"C:\Users\Admin\AppData\Local\Temp\8163cffd8e992fc035226df595236277862535e49631908edf3d0b7c9bfb8dc2N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\SysWOW64\Qnflff32.exe
  C:\Windows\system32\Qnflff32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\Qdcdnm32.exe
    C:\Windows\system32\Qdcdnm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\SysWOW64\Qmkigb32.exe
      C:\Windows\system32\Qmkigb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\SysWOW64\Alcbno32.exe
        
        C:\Windows\system32\Alcbno32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Windows\SysWOW64\Bagafeai.exe
        
        C:\Windows\system32\Bagafeai.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Bakkad32.exe
        
        C:\Windows\system32\Bakkad32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Blghhahp.exe
        
        C:\Windows\system32\Blghhahp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Cjpble32.exe
        
        C:\Windows\system32\Cjpble32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Chglca32.exe
        
        C:\Windows\system32\Chglca32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Dcciiope.exe
        
        C:\Windows\system32\Dcciiope.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Dffopi32.exe
        
        C:\Windows\system32\Dffopi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Dbmpejph.exe
        
        C:\Windows\system32\Dbmpejph.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 140
        14⤵
        Loads dropped DLL
        Program crash
        
        PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Alcbno32.exe

Filesize
300KB

MD5
d91c1617b6cd90011994fe7755f3b62a

SHA1
f922d02772d930ff9f91546df035725dfef83866

SHA256
ff07b6a69a3420d8f30addc54b01e1cb0cb9c180ce18e10508df001cbe9d5644

SHA512
acff2706fdb5cdf7495b8eb3011312f99e19e6099460036ea6abd61484de6cf79d8b446cf47bc49fa2a8abff30265fcd21ddb02f40ad454bed6b39a8ff90ed63

Download Submit
C:\Windows\SysWOW64\Chglca32.exe

Filesize
300KB

MD5
863b82489f3ddd898f5134332b6a3700

SHA1
0437db0f8d678dbfc6d311776c2b73004be49231

SHA256
316341ed4c7c7aff6c5166299c568b3acd7287dd793c72465ddd6dccca70b682

SHA512
e89e35ed09fa131214ef2b8e5f6168a4f5a36407d88166acaeb3bd3e469dbc93b008b1c257ed73a998b4d7a8473701e82d3976c561952969a42eed432a6888ef

Download Submit
C:\Windows\SysWOW64\Cjpble32.exe

Filesize
300KB

MD5
4595cd5b5a56b2a5d145a7b6bda41127

SHA1
4475aab5aef0147c36505d00734b198f1038b563

SHA256
bea1ea3f1a0672084765075294f1d195b2138e7fc808a4787610f49930dc6c7f

SHA512
ece58abfa3271e9e0118a86a080a1c28cc7df2c84431d3783789a56f319f9e363796ccee32b42c3d9ef7595e8815074fe0860f8a5df7669d05da653d827d123f

Download Submit
C:\Windows\SysWOW64\Qdcdnm32.exe

Filesize
300KB

MD5
7f0dfe2b7a066a217050301a06bf6618

SHA1
376a0f46573ae68864acab160f1aeb4904116a49

SHA256
c1f34ba91ef95bf1135fde21842b91f86a848162ec455c79d243b64ac9dfa061

SHA512
80ffc348ef03936b63be051f53c03f1c0d6bb32a3ebb997221b200f1fd5a693e2e01fb7cd706908b95bebc4638840a958e117824f3083ac54c007b6122e9058b

Download Submit
\Windows\SysWOW64\Bagafeai.exe

Filesize
300KB

MD5
4e6b880d39baca4daaf291f2eca8a90d

SHA1
53bce9bfc11991b35f89fa5e1f8a3bc0b4e12fa8

SHA256
5823568c35ba0378d4a715ab7b02c7f6ecf097277d2925184879b0b3ff8e9864

SHA512
ccdbbe997ef1963f5190b3eb71f11bd612096d017912fe39f9422d589943eadb8aa846632913a0cd6e0ecb0c4d45444ced39900af1bf22a5281a37ee0b6a8751

Download Submit
\Windows\SysWOW64\Bakkad32.exe

Filesize
300KB

MD5
e277acb11c2a84cbe87123b5b0343c3a

SHA1
4084d7b5478dbac7400b67331d85e39a01a2d3bb

SHA256
90f96435d082dbe8cef81449b2b411a7139ce1392e08823c662d5f694fcdce3b

SHA512
4fbf1acb6ce01b816263d4313b56ba4bd81d2f94758f51b4685a870e209fa076e3035a8eac3cb4dda4b1b79f8db9b686a2dd62df0cd6a1aa0118fa39ec073fc9

Download Submit
\Windows\SysWOW64\Blghhahp.exe

Filesize
300KB

MD5
113496d9c7011db378e88f52412bf071

SHA1
e75edc68cc9f6674992a5ed0203c846868768d15

SHA256
f4dd32de9bbc18e9478d3c866af3bfb4939c499cb2a13ecb1ee86927516cda5d

SHA512
04ba90fba6bb80d9429c328aa4208c3ff9b7712162108326488233354aed43d79caf3c1c5a19f20ac3c4ecc821ae52dd1e6a5bc0fe4f82e96e533061fa20aeca

Download Submit
\Windows\SysWOW64\Dbmpejph.exe

Filesize
300KB

MD5
307152b722877266e3dcae26688456cc

SHA1
3771e1fa9d5b443e9ce796d71b0cd59366e6f0c3

SHA256
f09ba656d0f02c20961ff7e2c85f78701dfcb65871201ce94931d47e17d168c2

SHA512
e049035300b0c5e42c617444bb6e88ac8d6baf6b7cdf4083388bc065be0511f898bc54a34f94cc2e9cf4f6ca06568471f627179468410c7c8cc9c3e689632027

Download Submit
\Windows\SysWOW64\Dcciiope.exe

Filesize
300KB

MD5
b1a339e8bfaac65a3dd7e08cd5c200de

SHA1
9ed78791693c9a9910b8c96be09a5f4474ca20a9

SHA256
d1af47846dd3dea514d55bae7193875768420a2de2e90fcd81cdb69167b7fe61

SHA512
9e25d8b1faa00559ad656d1d2c42ddb4f7d0d78ca0cdcd59bfcfa546c9c113c0132fc01d25d2208d2ba6de9518f1d0a74af58daab7a1d1c0905cd59ddbd51ffb

Download Submit
\Windows\SysWOW64\Dffopi32.exe

Filesize
300KB

MD5
d96f7b065bb4915627e1fc8071d9e12d

SHA1
ca5c70265bffc129229fcff9e45711a9f3123d26

SHA256
2750385e7ea81d3bf4a4773f98356edd13f7527d57b57e1a3c301ef004187201

SHA512
0f4c3e99fed60a961f4a9bfa99f50aad9716e0941dfd03c0014b6f95dea68bfe3d0c151579e94e0a77075d8151cbfb35a2a6d7fa34aa1f717b075100342ff63b

Download Submit
\Windows\SysWOW64\Qmkigb32.exe

Filesize
300KB

MD5
b9fe1b75920742d7bbc0802623cde0f2

SHA1
cfe5446bc8685c2b12a83bca18a0300d46e6562e

SHA256
6680843f382c1f77c8be43483dfb09226980555d648d6d0f88f5cfdae8c1e441

SHA512
398553caad11cedf7f224b495f405749b5865e18063fd4bbd4c3bedfffdb4e27fc3ddb368c86c120f61a42b85a6b8c2c5ae76f1bac7b9cd5e4e85d7467f09c81

Download Submit
\Windows\SysWOW64\Qnflff32.exe

Filesize
300KB

MD5
a0e2e0e96385f6590c5d2f4131da7da9

SHA1
e51fbb933e960db2200ee5b9f6ccdc55d15cd562

SHA256
38b2dae13636fe29350d50088e537432ab8309efa2ffda0d8bd01d057b3fcef9

SHA512
73c5bf4f2d9b163cd9a67769194c81914311f0093572d70dae5109b0662d4ef1943d6869dbf6d31b66fb9cef8922af65f224bfaf00667daf87eed652663788af

Download Submit
memory/524-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/524-169-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1088-17-0x00000000002C0000-0x00000000002EF000-memory.dmp

Filesize
188KB

Download
memory/1088-18-0x00000000002C0000-0x00000000002EF000-memory.dmp

Filesize
188KB

Download
memory/1088-186-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1088-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-153-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1748-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2068-111-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2068-110-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2068-182-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2068-98-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2084-168-0x00000000002B0000-0x00000000002DF000-memory.dmp

Filesize
188KB

Download
memory/2084-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2084-190-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2188-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2188-139-0x00000000003A0000-0x00000000003CF000-memory.dmp

Filesize
188KB

Download
memory/2188-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2360-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2360-125-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2360-113-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-83-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-95-0x00000000003A0000-0x00000000003CF000-memory.dmp

Filesize
188KB

Download
memory/2604-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-96-0x00000000003A0000-0x00000000003CF000-memory.dmp

Filesize
188KB

Download
memory/2720-52-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2720-181-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2720-45-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2744-66-0x00000000002B0000-0x00000000002DF000-memory.dmp

Filesize
188KB

Download
memory/2744-177-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2744-67-0x00000000002B0000-0x00000000002DF000-memory.dmp

Filesize
188KB

Download
memory/2744-54-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2832-81-0x00000000003A0000-0x00000000003CF000-memory.dmp

Filesize
188KB

Download
memory/2832-185-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2832-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2892-187-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2892-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads