berbew | 3317fc3899963754172b8f66c9880a513aedc86093936f774f84860f20baf9e7

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3317fc3899963754172b8f66c9880a513aedc86093936f774f84860f20baf9e7N.exe
Size

479KB
MD5

e44f697b4e8ddca80794cd2783d312d0
SHA1

65de0866b7bc4c0b408f0036125dd5942c3e3bc3
SHA256

3317fc3899963754172b8f66c9880a513aedc86093936f774f84860f20baf9e7
SHA512

55474fe096c31c4c969ef953fb62ba0dfbf94fb4650c159d291f160a1db0b22de8e494dae2ccc67934779ad21174e7c89fba1be65304e8e8cb26f9bfc13386cd
SSDEEP

6144:NW40om8YodbQPOwXYrMdlvkGr0f+uPOwXYrMdl2MPnhd8+ZDI:N4omIPwIaJwISfPI

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogjhnp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhfjadim.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnlaomae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Limhpihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Limhpihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meffjjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmhqokcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nejkdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3317fc3899963754172b8f66c9880a513aedc86093936f774f84860f20baf9e7N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjhopjqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnlaomae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nogmin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nogmin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcgqbq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lggbmbfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lggbmbfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjlejl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmhqokcq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogjhnp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnjhjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnjhjj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meffjjln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbopon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3317fc3899963754172b8f66c9880a513aedc86093936f774f84860f20baf9e7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfopdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbopon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipkema32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhfjadim.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcgqbq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjhopjqi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjlejl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nejkdm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipkema32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfopdk32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 17 IoCs

pid	Process
2068	Ipkema32.exe
2792	Jhfjadim.exe
2920	Jnjhjj32.exe
2604	Jcgqbq32.exe
2640	Kjhopjqi.exe
2560	Kfopdk32.exe
428	Lnlaomae.exe
2144	Lggbmbfc.exe
1016	Limhpihl.exe
2932	Mjlejl32.exe
112	Meffjjln.exe
3012	Mbopon32.exe
1352	Nmhqokcq.exe
1824	Nogmin32.exe
1384	Nejkdm32.exe
896	Ogjhnp32.exe
808	Opblgehg.exe

Loads dropped DLL 38 IoCs

pid	Process
588	3317fc3899963754172b8f66c9880a513aedc86093936f774f84860f20baf9e7N.exe
588	3317fc3899963754172b8f66c9880a513aedc86093936f774f84860f20baf9e7N.exe
2068	Ipkema32.exe
2068	Ipkema32.exe
2792	Jhfjadim.exe
2792	Jhfjadim.exe
2920	Jnjhjj32.exe
2920	Jnjhjj32.exe
2604	Jcgqbq32.exe
2604	Jcgqbq32.exe
2640	Kjhopjqi.exe
2640	Kjhopjqi.exe
2560	Kfopdk32.exe
2560	Kfopdk32.exe
428	Lnlaomae.exe
428	Lnlaomae.exe
2144	Lggbmbfc.exe
2144	Lggbmbfc.exe
1016	Limhpihl.exe
1016	Limhpihl.exe
2932	Mjlejl32.exe
2932	Mjlejl32.exe
112	Meffjjln.exe
112	Meffjjln.exe
3012	Mbopon32.exe
3012	Mbopon32.exe
1352	Nmhqokcq.exe
1352	Nmhqokcq.exe
1824	Nogmin32.exe
1824	Nogmin32.exe
1384	Nejkdm32.exe
1384	Nejkdm32.exe
896	Ogjhnp32.exe
896	Ogjhnp32.exe
3020	WerFault.exe
3020	WerFault.exe
3020	WerFault.exe
3020	WerFault.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lggbmbfc.exe	Lnlaomae.exe
File opened for modification	C:\Windows\SysWOW64\Lggbmbfc.exe	Lnlaomae.exe
File created	C:\Windows\SysWOW64\Ekbglc32.dll	Lggbmbfc.exe
File created	C:\Windows\SysWOW64\Gibcam32.dll	Meffjjln.exe
File opened for modification	C:\Windows\SysWOW64\Jnjhjj32.exe	Jhfjadim.exe
File created	C:\Windows\SysWOW64\Najgacfg.dll	Jnjhjj32.exe
File opened for modification	C:\Windows\SysWOW64\Lnlaomae.exe	Kfopdk32.exe
File created	C:\Windows\SysWOW64\Lmieogma.dll	Kfopdk32.exe
File opened for modification	C:\Windows\SysWOW64\Mjlejl32.exe	Limhpihl.exe
File created	C:\Windows\SysWOW64\Cpgidb32.dll	Limhpihl.exe
File created	C:\Windows\SysWOW64\Meffjjln.exe	Mjlejl32.exe
File opened for modification	C:\Windows\SysWOW64\Nmhqokcq.exe	Mbopon32.exe
File created	C:\Windows\SysWOW64\Kjhopjqi.exe	Jcgqbq32.exe
File opened for modification	C:\Windows\SysWOW64\Kfopdk32.exe	Kjhopjqi.exe
File created	C:\Windows\SysWOW64\Kjhhabcc.dll	Lnlaomae.exe
File created	C:\Windows\SysWOW64\Mjlejl32.exe	Limhpihl.exe
File opened for modification	C:\Windows\SysWOW64\Nogmin32.exe	Nmhqokcq.exe
File created	C:\Windows\SysWOW64\Noplll32.dll	Nogmin32.exe
File created	C:\Windows\SysWOW64\Ogjhnp32.exe	Nejkdm32.exe
File opened for modification	C:\Windows\SysWOW64\Ipkema32.exe	3317fc3899963754172b8f66c9880a513aedc86093936f774f84860f20baf9e7N.exe
File created	C:\Windows\SysWOW64\Depfiffk.dll	Jcgqbq32.exe
File opened for modification	C:\Windows\SysWOW64\Meffjjln.exe	Mjlejl32.exe
File opened for modification	C:\Windows\SysWOW64\Nejkdm32.exe	Nogmin32.exe
File created	C:\Windows\SysWOW64\Mbopon32.exe	Meffjjln.exe
File created	C:\Windows\SysWOW64\Ojqeofnd.dll	Nmhqokcq.exe
File opened for modification	C:\Windows\SysWOW64\Ogjhnp32.exe	Nejkdm32.exe
File created	C:\Windows\SysWOW64\Ahmjfimi.dll	Ogjhnp32.exe
File opened for modification	C:\Windows\SysWOW64\Jcgqbq32.exe	Jnjhjj32.exe
File created	C:\Windows\SysWOW64\Lnlaomae.exe	Kfopdk32.exe
File created	C:\Windows\SysWOW64\Limhpihl.exe	Lggbmbfc.exe
File created	C:\Windows\SysWOW64\Nbabqihk.dll	Mjlejl32.exe
File opened for modification	C:\Windows\SysWOW64\Jhfjadim.exe	Ipkema32.exe
File created	C:\Windows\SysWOW64\Gqaaok32.dll	Jhfjadim.exe
File opened for modification	C:\Windows\SysWOW64\Mbopon32.exe	Meffjjln.exe
File created	C:\Windows\SysWOW64\Njljfe32.dll	Mbopon32.exe
File created	C:\Windows\SysWOW64\Eljgid32.dll	3317fc3899963754172b8f66c9880a513aedc86093936f774f84860f20baf9e7N.exe
File created	C:\Windows\SysWOW64\Jnjhjj32.exe	Jhfjadim.exe
File opened for modification	C:\Windows\SysWOW64\Limhpihl.exe	Lggbmbfc.exe
File created	C:\Windows\SysWOW64\Nogmin32.exe	Nmhqokcq.exe
File created	C:\Windows\SysWOW64\Opblgehg.exe	Ogjhnp32.exe
File created	C:\Windows\SysWOW64\Jhfjadim.exe	Ipkema32.exe
File opened for modification	C:\Windows\SysWOW64\Kjhopjqi.exe	Jcgqbq32.exe
File created	C:\Windows\SysWOW64\Nmhqokcq.exe	Mbopon32.exe
File created	C:\Windows\SysWOW64\Nlnjkhha.dll	Nejkdm32.exe
File created	C:\Windows\SysWOW64\Keokbali.dll	Kjhopjqi.exe
File created	C:\Windows\SysWOW64\Nejkdm32.exe	Nogmin32.exe
File opened for modification	C:\Windows\SysWOW64\Opblgehg.exe	Ogjhnp32.exe
File created	C:\Windows\SysWOW64\Ipkema32.exe	3317fc3899963754172b8f66c9880a513aedc86093936f774f84860f20baf9e7N.exe
File created	C:\Windows\SysWOW64\Jebopgbd.dll	Ipkema32.exe
File created	C:\Windows\SysWOW64\Jcgqbq32.exe	Jnjhjj32.exe
File created	C:\Windows\SysWOW64\Kfopdk32.exe	Kjhopjqi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3020	808	WerFault.exe	46

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3317fc3899963754172b8f66c9880a513aedc86093936f774f84860f20baf9e7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipkema32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnjhjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcgqbq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lggbmbfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meffjjln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbopon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjlejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nogmin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nejkdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhfjadim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjhopjqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfopdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnlaomae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Limhpihl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmhqokcq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogjhnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opblgehg.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipkema32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Meffjjln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmhqokcq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nogmin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojqeofnd.dll"	Nmhqokcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnjkhha.dll"	Nejkdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eljgid32.dll"	3317fc3899963754172b8f66c9880a513aedc86093936f774f84860f20baf9e7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfopdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpgidb32.dll"	Limhpihl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3317fc3899963754172b8f66c9880a513aedc86093936f774f84860f20baf9e7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnjhjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lggbmbfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Limhpihl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3317fc3899963754172b8f66c9880a513aedc86093936f774f84860f20baf9e7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnjhjj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Meffjjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gibcam32.dll"	Meffjjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njljfe32.dll"	Mbopon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jebopgbd.dll"	Ipkema32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmieogma.dll"	Kfopdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnlaomae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbglc32.dll"	Lggbmbfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmjfimi.dll"	Ogjhnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcgqbq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3317fc3899963754172b8f66c9880a513aedc86093936f774f84860f20baf9e7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najgacfg.dll"	Jnjhjj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3317fc3899963754172b8f66c9880a513aedc86093936f774f84860f20baf9e7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipkema32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Depfiffk.dll"	Jcgqbq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keokbali.dll"	Kjhopjqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nogmin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqaaok32.dll"	Jhfjadim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjhopjqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhfjadim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nejkdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogjhnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjhhabcc.dll"	Lnlaomae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Limhpihl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjlejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbopon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogjhnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjlejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbopon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmhqokcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3317fc3899963754172b8f66c9880a513aedc86093936f774f84860f20baf9e7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcgqbq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjhopjqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfopdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbabqihk.dll"	Mjlejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lggbmbfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nejkdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhfjadim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnlaomae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noplll32.dll"	Nogmin32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 588 wrote to memory of 2068	588	3317fc3899963754172b8f66c9880a513aedc86093936f774f84860f20baf9e7N.exe	30
PID 588 wrote to memory of 2068	588	3317fc3899963754172b8f66c9880a513aedc86093936f774f84860f20baf9e7N.exe	30
PID 588 wrote to memory of 2068	588	3317fc3899963754172b8f66c9880a513aedc86093936f774f84860f20baf9e7N.exe	30
PID 588 wrote to memory of 2068	588	3317fc3899963754172b8f66c9880a513aedc86093936f774f84860f20baf9e7N.exe	30
PID 2068 wrote to memory of 2792	2068	Ipkema32.exe	31
PID 2068 wrote to memory of 2792	2068	Ipkema32.exe	31
PID 2068 wrote to memory of 2792	2068	Ipkema32.exe	31
PID 2068 wrote to memory of 2792	2068	Ipkema32.exe	31
PID 2792 wrote to memory of 2920	2792	Jhfjadim.exe	32
PID 2792 wrote to memory of 2920	2792	Jhfjadim.exe	32
PID 2792 wrote to memory of 2920	2792	Jhfjadim.exe	32
PID 2792 wrote to memory of 2920	2792	Jhfjadim.exe	32
PID 2920 wrote to memory of 2604	2920	Jnjhjj32.exe	33
PID 2920 wrote to memory of 2604	2920	Jnjhjj32.exe	33
PID 2920 wrote to memory of 2604	2920	Jnjhjj32.exe	33
PID 2920 wrote to memory of 2604	2920	Jnjhjj32.exe	33
PID 2604 wrote to memory of 2640	2604	Jcgqbq32.exe	34
PID 2604 wrote to memory of 2640	2604	Jcgqbq32.exe	34
PID 2604 wrote to memory of 2640	2604	Jcgqbq32.exe	34
PID 2604 wrote to memory of 2640	2604	Jcgqbq32.exe	34
PID 2640 wrote to memory of 2560	2640	Kjhopjqi.exe	35
PID 2640 wrote to memory of 2560	2640	Kjhopjqi.exe	35
PID 2640 wrote to memory of 2560	2640	Kjhopjqi.exe	35
PID 2640 wrote to memory of 2560	2640	Kjhopjqi.exe	35
PID 2560 wrote to memory of 428	2560	Kfopdk32.exe	36
PID 2560 wrote to memory of 428	2560	Kfopdk32.exe	36
PID 2560 wrote to memory of 428	2560	Kfopdk32.exe	36
PID 2560 wrote to memory of 428	2560	Kfopdk32.exe	36
PID 428 wrote to memory of 2144	428	Lnlaomae.exe	37
PID 428 wrote to memory of 2144	428	Lnlaomae.exe	37
PID 428 wrote to memory of 2144	428	Lnlaomae.exe	37
PID 428 wrote to memory of 2144	428	Lnlaomae.exe	37
PID 2144 wrote to memory of 1016	2144	Lggbmbfc.exe	38
PID 2144 wrote to memory of 1016	2144	Lggbmbfc.exe	38
PID 2144 wrote to memory of 1016	2144	Lggbmbfc.exe	38
PID 2144 wrote to memory of 1016	2144	Lggbmbfc.exe	38
PID 1016 wrote to memory of 2932	1016	Limhpihl.exe	39
PID 1016 wrote to memory of 2932	1016	Limhpihl.exe	39
PID 1016 wrote to memory of 2932	1016	Limhpihl.exe	39
PID 1016 wrote to memory of 2932	1016	Limhpihl.exe	39
PID 2932 wrote to memory of 112	2932	Mjlejl32.exe	40
PID 2932 wrote to memory of 112	2932	Mjlejl32.exe	40
PID 2932 wrote to memory of 112	2932	Mjlejl32.exe	40
PID 2932 wrote to memory of 112	2932	Mjlejl32.exe	40
PID 112 wrote to memory of 3012	112	Meffjjln.exe	41
PID 112 wrote to memory of 3012	112	Meffjjln.exe	41
PID 112 wrote to memory of 3012	112	Meffjjln.exe	41
PID 112 wrote to memory of 3012	112	Meffjjln.exe	41
PID 3012 wrote to memory of 1352	3012	Mbopon32.exe	42
PID 3012 wrote to memory of 1352	3012	Mbopon32.exe	42
PID 3012 wrote to memory of 1352	3012	Mbopon32.exe	42
PID 3012 wrote to memory of 1352	3012	Mbopon32.exe	42
PID 1352 wrote to memory of 1824	1352	Nmhqokcq.exe	43
PID 1352 wrote to memory of 1824	1352	Nmhqokcq.exe	43
PID 1352 wrote to memory of 1824	1352	Nmhqokcq.exe	43
PID 1352 wrote to memory of 1824	1352	Nmhqokcq.exe	43
PID 1824 wrote to memory of 1384	1824	Nogmin32.exe	44
PID 1824 wrote to memory of 1384	1824	Nogmin32.exe	44
PID 1824 wrote to memory of 1384	1824	Nogmin32.exe	44
PID 1824 wrote to memory of 1384	1824	Nogmin32.exe	44
PID 1384 wrote to memory of 896	1384	Nejkdm32.exe	45
PID 1384 wrote to memory of 896	1384	Nejkdm32.exe	45
PID 1384 wrote to memory of 896	1384	Nejkdm32.exe	45
PID 1384 wrote to memory of 896	1384	Nejkdm32.exe	45

C:\Users\Admin\AppData\Local\Temp\3317fc3899963754172b8f66c9880a513aedc86093936f774f84860f20baf9e7N.exe
"C:\Users\Admin\AppData\Local\Temp\3317fc3899963754172b8f66c9880a513aedc86093936f774f84860f20baf9e7N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:588
- C:\Windows\SysWOW64\Ipkema32.exe
  C:\Windows\system32\Ipkema32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\Jhfjadim.exe
    C:\Windows\system32\Jhfjadim.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\Jnjhjj32.exe
      C:\Windows\system32\Jnjhjj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Windows\SysWOW64\Jcgqbq32.exe
        
        C:\Windows\system32\Jcgqbq32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Windows\SysWOW64\Kjhopjqi.exe
        
        C:\Windows\system32\Kjhopjqi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Kfopdk32.exe
        
        C:\Windows\system32\Kfopdk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Lnlaomae.exe
        
        C:\Windows\system32\Lnlaomae.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\SysWOW64\Lggbmbfc.exe
        
        C:\Windows\system32\Lggbmbfc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Limhpihl.exe
        
        C:\Windows\system32\Limhpihl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Mjlejl32.exe
        
        C:\Windows\system32\Mjlejl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Meffjjln.exe
        
        C:\Windows\system32\Meffjjln.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\SysWOW64\Mbopon32.exe
        
        C:\Windows\system32\Mbopon32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Nmhqokcq.exe
        
        C:\Windows\system32\Nmhqokcq.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Nogmin32.exe
        
        C:\Windows\system32\Nogmin32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Nejkdm32.exe
        
        C:\Windows\system32\Nejkdm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Ogjhnp32.exe
        
        C:\Windows\system32\Ogjhnp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Opblgehg.exe
        
        C:\Windows\system32\Opblgehg.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 140
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jhfjadim.exe

Filesize
479KB

MD5
50a19f1a41eecdd94b18158d17e85397

SHA1
0ee62ee9c1ee3b9d084247049176aba7e4ebc5a9

SHA256
b43cd93fb44b83961d2d5806b8efd08e6caa0043ec4023b0e5c8b657ca772c08

SHA512
050b8c77ca9fde9c94d99b4022944103a5c6273eccb5722760269679db4f4418fd26367ada73bbc3b3b2108ba7ba3f03e9cfb9ea6a1c6e1d870fdeea3a3ca548

Download Submit
C:\Windows\SysWOW64\Kjhopjqi.exe

Filesize
479KB

MD5
cab7a665cc1f9d03ec79d98babe4f12d

SHA1
d9af5bdd84dc296772bbabd3e8d744442462f158

SHA256
1c8139e9e52c6b1bfb032e078b07e2bb4eadec8b823fc6f4214b04988d191588

SHA512
dea3750b5359b1bee51067980c7f68b5053a5bef06643eb04bb5cbd59ccc5e7b649b086993951277c242b113411b222f4efb5b02e765386e914a1cd179a7bc57

Download Submit
C:\Windows\SysWOW64\Lggbmbfc.exe

Filesize
479KB

MD5
3522af262c856c1a2b959a0df6d5524b

SHA1
0f257102d4f9caac6bf6a884a29a72dc99a54347

SHA256
b6809e1c69d38b7bef30972e73f6d6a699349f323a86fca298192ac3e796e52b

SHA512
fbf5cfb84c4b6c1bf1702592bcda48fd0151a20aadb8562101bc2045b887fd65d898f6412e2ba47abb08685501fa36b0d2d396fe517fdf51f456e40727c4d00a

Download Submit
C:\Windows\SysWOW64\Meffjjln.exe

Filesize
479KB

MD5
102aef916c73ba26141f7418f5526c23

SHA1
0b72690b447b98381966ee0f7c5ad1add68e1407

SHA256
9455c88050ca9dad8f607fa4ac0b80d4d2df89899a4c8dec803aa77b00b02de1

SHA512
a62935a72f04b4b135475f9f6c2cbe4e32014fb006d7a2da16e8cea9948240c68356a02084bff8a7aaac81e713b001246a8ec2d413b9942601092837fedb69a1

Download Submit
C:\Windows\SysWOW64\Mjlejl32.exe

Filesize
479KB

MD5
dea3bb8fec4b5bdaff06b909cf43c774

SHA1
a9130aa39fd4a909d7190c08d82947b9e5ac7b15

SHA256
7786b8e0d930f059cc17116d7f749ec608d1e1897db4b2201054e425018eb458

SHA512
01b529ba3488d1bf22d74c48203cb8fa5bf6cb6ed45914f5863b640fc7f65ed8b330e9b8cf7fe65e067e35bc332737577957ee6e8b5fb8ad916b3dc146173bdf

Download Submit
C:\Windows\SysWOW64\Nejkdm32.exe

Filesize
479KB

MD5
db50bd1502f826a0dd33a9899d9db2e1

SHA1
c7ce28d2382c5aa86787ff1a852e20021e0e4ab6

SHA256
2b7f1a62146b97bc8c94090cb54cb0d0fb0abf7e22b4cd456ec8d3698d5f89be

SHA512
84d6844778da35dad9bc7cc236db8e62eff452cbb3eaa4a2104d38a921fc31742703a9c412131d82b9d16cdd159b3dc4cbfccade7423934be1f65d438a816e58

Download Submit
C:\Windows\SysWOW64\Nogmin32.exe

Filesize
479KB

MD5
12a2e25bca6568d4470d1b5423f9578f

SHA1
5d2556a9dbefda0c501648f0d3d4af5badf1849d

SHA256
2d444e335102c5f43dcb5ccafda9ab9b34ab811a0d80519f237ab74f60ef675c

SHA512
23aea8b29b264c02e1abc2367be448b2852faec7e34ac765976209f9e3e47483c6c9ca1a63cca417cceca5466ad6130d26b0dd11d1294d3fc8ec00b93fc90d89

Download Submit
C:\Windows\SysWOW64\Ogjhnp32.exe

Filesize
479KB

MD5
e9c58d561ead46d6defa84791a8a12a8

SHA1
3cfa9ec2e9370fb67d15e8373992a913ef89f6fb

SHA256
73ee17cf32e3976b048b81122b802880bb874110404ce61b9519aa84f1a0a65d

SHA512
cf92310cb79c92b40ee8bdf9ada9107defa179441692dc5242f544db2353243568ddb74051e1f4f931d7e86add550ab10e7a5eb9206392949c905d210a6a134f

Download Submit
C:\Windows\SysWOW64\Opblgehg.exe

Filesize
479KB

MD5
7027ec18cd64f34d6eb99833c1a56ba4

SHA1
e856e905fddd7752f78d86f19c363a5d24dc3494

SHA256
0f19f4fdbaa86a6150b581ee462bf92bbbfd85903a942fc56ffb45aa8a3c2377

SHA512
b1fa7cda08456081256c4b29fcc4cb2ea0d5577de43f89d0c38827798b10e1c2e24c6cc5964a65ed2a854fab5cb62568b8d4d95afd8c9c78885b8578bbe78ea9

Download Submit
\Windows\SysWOW64\Ipkema32.exe

Filesize
479KB

MD5
682dd9d48f898134c7bdb745d0ea9aec

SHA1
261e0459124deef4bc0e5c3a8ddb9db7a88f63c2

SHA256
1470a3821a7abd30f6245c21d4fa2d0b2a4007f42132ea8ba5ba1b39faa62f68

SHA512
400aa60caed5c827007f639692c5042bf917d046ad7c6efee85befd794b08195f77c10b4562e1591c5e7471924abbcc6c90a0d3ae4711ab59a9a5ff3ae7d3164

Download Submit
\Windows\SysWOW64\Jcgqbq32.exe

Filesize
479KB

MD5
bd67086b0cd843cfe976c2df6348807b

SHA1
328055ebe7b5f6b05050e3c2df1022e4b975ea83

SHA256
de44e94014e23dedf300d43f2ae510a482b562124b407575612c7edf5293c0f4

SHA512
7789294f7306ab531c8c032b0e7c85c302e0be53273a77723082c7e349f2229b004e477456404bafac34c3a490bd010a908a971ff4ade5fd15a7847ae2872d96

Download Submit
\Windows\SysWOW64\Jnjhjj32.exe

Filesize
479KB

MD5
9ed9b872a7c8b5aa881f63bcd0b0de71

SHA1
05c9b77cab0b8bd40052081ad7ba5de1ccdd07d9

SHA256
22b5e03aad34875e4ece27886d01785e7585abc36318f392b2e465157c9495e0

SHA512
a4fbcf579bca7b1798c26e7e02b109460c805ca958c1b606e456f498efd40be35204c1cc9f0f2fc93dd221f4a851c7c8c0c1e40cf52434c0379737a69022912d

Download Submit
\Windows\SysWOW64\Kfopdk32.exe

Filesize
479KB

MD5
d73c08a8a200e58a42ed287bc444b1f4

SHA1
38a51aed01363c2fa4cfea164bab09e1de10f5d6

SHA256
ee6ac58c392f7cb574a54227d0ba13f333d26719263da2c98ddd4b9e0528117d

SHA512
7bf54831d9fd5eaf52785b51b89c45dcff06788082842e767a3abc3f17b5c8fab5e1fcaeef90bb75e82b032064615f36d7224578d0b7d4c3537e90849cff39d8

Download Submit
\Windows\SysWOW64\Limhpihl.exe

Filesize
479KB

MD5
4377bd472aaf62dc55291b9c699bc0a7

SHA1
cddfa06a317a2aa6291a8bff3d0a5860acc55b15

SHA256
3b4813c64a44739e3f292114dc47b327cb95448a37dbe96576290c29d2d82461

SHA512
ce9df8acb29e9c7afb85e656c0d353d7f014711a5c930efff591a71869412875722abf84383d0ce2f74bcfc44b4f137f70968d3394c95fb14813fdf0a05232ac

Download Submit
\Windows\SysWOW64\Lnlaomae.exe

Filesize
479KB

MD5
b1dd258bc4e74ee09a7c5d04b6615f28

SHA1
8cd5c98c2f02b73779152d856847785c31eb393c

SHA256
73883e25a32bdd3c298044b8bd875c6c07163b5135078796294e03e397a09760

SHA512
e9905be8b063282cc7f9a8b95a4aceb8c8d6c8a2188d244dfc2d14fb37ec4973ffd721fee76767bea3192f3dff01f0c49c6fb6c265064fb08445579f42542f98

Download Submit
\Windows\SysWOW64\Mbopon32.exe

Filesize
479KB

MD5
01811468b56e37c3b41dd7c76d325e97

SHA1
1a4e05d8b6d4b1afe70d7085b77ea311845e0a54

SHA256
51bd151278b897d8e21df82de22f1fa0504ee8faf5d265ac9fddd5399600a2d3

SHA512
1b29d1a3fb287548220baa33b84f46e56a0b00da122bca61e9462f937547099fd1222244f83e0236e18dbdc9a330061890d7b9bfebd051bb93579455bcfed808

Download Submit
\Windows\SysWOW64\Nmhqokcq.exe

Filesize
479KB

MD5
2aba6a5e5d71b5ac7f65457bc6d03bac

SHA1
acf2360b965bc92d1843b47e8ee42adff75784f2

SHA256
fa84acca67d1a09ab7fb3c7da90b5ecc431ec30b5b660cd271f96405ff16c190

SHA512
c53ca7d5855a788b5a1eae9b6dfb3a4e14fcf2765e12acd66abdb2c5faa130bd6cd57eecf8d21cf4af3a5b6a25f9cfff15ec5000f21e025c7162903dc98e51a8

Download Submit
memory/112-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/112-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/112-166-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/428-105-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/428-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/588-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/588-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/588-11-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/588-12-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/808-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-229-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/896-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-137-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1352-189-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1352-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-221-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1824-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-203-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2068-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-26-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2144-123-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2144-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-117-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2560-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-96-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2560-91-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2560-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-61-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/2604-67-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/2640-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-81-0x0000000001B60000-0x0000000001B93000-memory.dmp

Filesize
204KB

Download
memory/2640-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-35-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/2792-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-49-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2920-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-151-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/3012-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-179-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/3012-180-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/3012-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads