berbew | 50a79913e85752bcee846cc0236d292178e53b5e0a591d6269c2e7350cecc801

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50a79913e85752bcee846cc0236d292178e53b5e0a591d6269c2e7350cecc801N.exe
Size

96KB
MD5

6840fede300ca19bda445bc73f61f970
SHA1

8b07165bb26eaaf73405f75610bd5a449ac35667
SHA256

50a79913e85752bcee846cc0236d292178e53b5e0a591d6269c2e7350cecc801
SHA512

70ba40626be23c214e80207f4ee7c7617ef2c7478d2124702c3912e425960fe9074b7473fdc8dc50f3ffade9eb2a2341a29afe84d30662e2e43b02e4149994fc
SSDEEP

1536:mrO0X7ClOs4WCV+DU87ZpFtz/DJp55wu0Pknhk5aAjWbjtKBvU:AQ4WCsU879t/DJL5qEhk5VwtCU

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lemdncoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	50a79913e85752bcee846cc0236d292178e53b5e0a591d6269c2e7350cecc801N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lidgcclp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lghgmg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lemdncoa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lidgcclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llbconkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhiddoph.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpieengb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	50a79913e85752bcee846cc0236d292178e53b5e0a591d6269c2e7350cecc801N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Libjncnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llbconkd.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 12 IoCs

pid	Process
2688	Kipmhc32.exe
2652	Kpieengb.exe
2808	Kdeaelok.exe
2600	Libjncnc.exe
2624	Lplbjm32.exe
1260	Lidgcclp.exe
2980	Llbconkd.exe
2040	Lghgmg32.exe
2764	Lhiddoph.exe
1468	Lcohahpn.exe
2428	Lemdncoa.exe
2036	Lepaccmo.exe

Loads dropped DLL 28 IoCs

pid	Process
2640	50a79913e85752bcee846cc0236d292178e53b5e0a591d6269c2e7350cecc801N.exe
2640	50a79913e85752bcee846cc0236d292178e53b5e0a591d6269c2e7350cecc801N.exe
2688	Kipmhc32.exe
2688	Kipmhc32.exe
2652	Kpieengb.exe
2652	Kpieengb.exe
2808	Kdeaelok.exe
2808	Kdeaelok.exe
2600	Libjncnc.exe
2600	Libjncnc.exe
2624	Lplbjm32.exe
2624	Lplbjm32.exe
1260	Lidgcclp.exe
1260	Lidgcclp.exe
2980	Llbconkd.exe
2980	Llbconkd.exe
2040	Lghgmg32.exe
2040	Lghgmg32.exe
2764	Lhiddoph.exe
2764	Lhiddoph.exe
1468	Lcohahpn.exe
1468	Lcohahpn.exe
2428	Lemdncoa.exe
2428	Lemdncoa.exe
556	WerFault.exe
556	WerFault.exe
556	WerFault.exe
556	WerFault.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lghgmg32.exe	Llbconkd.exe
File created	C:\Windows\SysWOW64\Lhiddoph.exe	Lghgmg32.exe
File created	C:\Windows\SysWOW64\Annjfl32.dll	Lhiddoph.exe
File opened for modification	C:\Windows\SysWOW64\Kdeaelok.exe	Kpieengb.exe
File opened for modification	C:\Windows\SysWOW64\Libjncnc.exe	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Dlcdel32.dll	Libjncnc.exe
File created	C:\Windows\SysWOW64\Lcohahpn.exe	Lhiddoph.exe
File created	C:\Windows\SysWOW64\Dkpnde32.dll	50a79913e85752bcee846cc0236d292178e53b5e0a591d6269c2e7350cecc801N.exe
File created	C:\Windows\SysWOW64\Mbbhfl32.dll	Kpieengb.exe
File created	C:\Windows\SysWOW64\Gcakqmpi.dll	Lidgcclp.exe
File opened for modification	C:\Windows\SysWOW64\Lghgmg32.exe	Llbconkd.exe
File opened for modification	C:\Windows\SysWOW64\Lhiddoph.exe	Lghgmg32.exe
File created	C:\Windows\SysWOW64\Nmdeem32.dll	Lghgmg32.exe
File created	C:\Windows\SysWOW64\Kipmhc32.exe	50a79913e85752bcee846cc0236d292178e53b5e0a591d6269c2e7350cecc801N.exe
File created	C:\Windows\SysWOW64\Ipbkjl32.dll	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Lemdncoa.exe	Lcohahpn.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Lemdncoa.exe
File opened for modification	C:\Windows\SysWOW64\Kpieengb.exe	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Llbconkd.exe	Lidgcclp.exe
File opened for modification	C:\Windows\SysWOW64\Lplbjm32.exe	Libjncnc.exe
File opened for modification	C:\Windows\SysWOW64\Lemdncoa.exe	Lcohahpn.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Lemdncoa.exe
File opened for modification	C:\Windows\SysWOW64\Kipmhc32.exe	50a79913e85752bcee846cc0236d292178e53b5e0a591d6269c2e7350cecc801N.exe
File created	C:\Windows\SysWOW64\Pihbeaea.dll	Kipmhc32.exe
File opened for modification	C:\Windows\SysWOW64\Lidgcclp.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Dneoankp.dll	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Kpieengb.exe	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Kdeaelok.exe	Kpieengb.exe
File opened for modification	C:\Windows\SysWOW64\Lcohahpn.exe	Lhiddoph.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Lemdncoa.exe
File created	C:\Windows\SysWOW64\Lplbjm32.exe	Libjncnc.exe
File created	C:\Windows\SysWOW64\Lidgcclp.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Ogegmkqk.dll	Llbconkd.exe
File created	C:\Windows\SysWOW64\Lioglifg.dll	Lcohahpn.exe
File created	C:\Windows\SysWOW64\Libjncnc.exe	Kdeaelok.exe
File opened for modification	C:\Windows\SysWOW64\Llbconkd.exe	Lidgcclp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
556	2036	WerFault.exe	41

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpieengb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lidgcclp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llbconkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhiddoph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcohahpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lemdncoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipmhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeaelok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libjncnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghgmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50a79913e85752bcee846cc0236d292178e53b5e0a591d6269c2e7350cecc801N.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdel32.dll"	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lidgcclp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	50a79913e85752bcee846cc0236d292178e53b5e0a591d6269c2e7350cecc801N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	50a79913e85752bcee846cc0236d292178e53b5e0a591d6269c2e7350cecc801N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llbconkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lemdncoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpnde32.dll"	50a79913e85752bcee846cc0236d292178e53b5e0a591d6269c2e7350cecc801N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lioglifg.dll"	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcohahpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpieengb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdeem32.dll"	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lghgmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	50a79913e85752bcee846cc0236d292178e53b5e0a591d6269c2e7350cecc801N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbhfl32.dll"	Kpieengb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lidgcclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	50a79913e85752bcee846cc0236d292178e53b5e0a591d6269c2e7350cecc801N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dneoankp.dll"	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Lemdncoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	50a79913e85752bcee846cc0236d292178e53b5e0a591d6269c2e7350cecc801N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbkjl32.dll"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogegmkqk.dll"	Llbconkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Annjfl32.dll"	Lhiddoph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcohahpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lemdncoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pihbeaea.dll"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcakqmpi.dll"	Lidgcclp.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2688	2640	50a79913e85752bcee846cc0236d292178e53b5e0a591d6269c2e7350cecc801N.exe	30
PID 2640 wrote to memory of 2688	2640	50a79913e85752bcee846cc0236d292178e53b5e0a591d6269c2e7350cecc801N.exe	30
PID 2640 wrote to memory of 2688	2640	50a79913e85752bcee846cc0236d292178e53b5e0a591d6269c2e7350cecc801N.exe	30
PID 2640 wrote to memory of 2688	2640	50a79913e85752bcee846cc0236d292178e53b5e0a591d6269c2e7350cecc801N.exe	30
PID 2688 wrote to memory of 2652	2688	Kipmhc32.exe	31
PID 2688 wrote to memory of 2652	2688	Kipmhc32.exe	31
PID 2688 wrote to memory of 2652	2688	Kipmhc32.exe	31
PID 2688 wrote to memory of 2652	2688	Kipmhc32.exe	31
PID 2652 wrote to memory of 2808	2652	Kpieengb.exe	32
PID 2652 wrote to memory of 2808	2652	Kpieengb.exe	32
PID 2652 wrote to memory of 2808	2652	Kpieengb.exe	32
PID 2652 wrote to memory of 2808	2652	Kpieengb.exe	32
PID 2808 wrote to memory of 2600	2808	Kdeaelok.exe	33
PID 2808 wrote to memory of 2600	2808	Kdeaelok.exe	33
PID 2808 wrote to memory of 2600	2808	Kdeaelok.exe	33
PID 2808 wrote to memory of 2600	2808	Kdeaelok.exe	33
PID 2600 wrote to memory of 2624	2600	Libjncnc.exe	34
PID 2600 wrote to memory of 2624	2600	Libjncnc.exe	34
PID 2600 wrote to memory of 2624	2600	Libjncnc.exe	34
PID 2600 wrote to memory of 2624	2600	Libjncnc.exe	34
PID 2624 wrote to memory of 1260	2624	Lplbjm32.exe	35
PID 2624 wrote to memory of 1260	2624	Lplbjm32.exe	35
PID 2624 wrote to memory of 1260	2624	Lplbjm32.exe	35
PID 2624 wrote to memory of 1260	2624	Lplbjm32.exe	35
PID 1260 wrote to memory of 2980	1260	Lidgcclp.exe	36
PID 1260 wrote to memory of 2980	1260	Lidgcclp.exe	36
PID 1260 wrote to memory of 2980	1260	Lidgcclp.exe	36
PID 1260 wrote to memory of 2980	1260	Lidgcclp.exe	36
PID 2980 wrote to memory of 2040	2980	Llbconkd.exe	37
PID 2980 wrote to memory of 2040	2980	Llbconkd.exe	37
PID 2980 wrote to memory of 2040	2980	Llbconkd.exe	37
PID 2980 wrote to memory of 2040	2980	Llbconkd.exe	37
PID 2040 wrote to memory of 2764	2040	Lghgmg32.exe	38
PID 2040 wrote to memory of 2764	2040	Lghgmg32.exe	38
PID 2040 wrote to memory of 2764	2040	Lghgmg32.exe	38
PID 2040 wrote to memory of 2764	2040	Lghgmg32.exe	38
PID 2764 wrote to memory of 1468	2764	Lhiddoph.exe	39
PID 2764 wrote to memory of 1468	2764	Lhiddoph.exe	39
PID 2764 wrote to memory of 1468	2764	Lhiddoph.exe	39
PID 2764 wrote to memory of 1468	2764	Lhiddoph.exe	39
PID 1468 wrote to memory of 2428	1468	Lcohahpn.exe	40
PID 1468 wrote to memory of 2428	1468	Lcohahpn.exe	40
PID 1468 wrote to memory of 2428	1468	Lcohahpn.exe	40
PID 1468 wrote to memory of 2428	1468	Lcohahpn.exe	40
PID 2428 wrote to memory of 2036	2428	Lemdncoa.exe	41
PID 2428 wrote to memory of 2036	2428	Lemdncoa.exe	41
PID 2428 wrote to memory of 2036	2428	Lemdncoa.exe	41
PID 2428 wrote to memory of 2036	2428	Lemdncoa.exe	41
PID 2036 wrote to memory of 556	2036	Lepaccmo.exe	42
PID 2036 wrote to memory of 556	2036	Lepaccmo.exe	42
PID 2036 wrote to memory of 556	2036	Lepaccmo.exe	42
PID 2036 wrote to memory of 556	2036	Lepaccmo.exe	42

C:\Users\Admin\AppData\Local\Temp\50a79913e85752bcee846cc0236d292178e53b5e0a591d6269c2e7350cecc801N.exe
"C:\Users\Admin\AppData\Local\Temp\50a79913e85752bcee846cc0236d292178e53b5e0a591d6269c2e7350cecc801N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\Kipmhc32.exe
  C:\Windows\system32\Kipmhc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\Kpieengb.exe
    C:\Windows\system32\Kpieengb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\Kdeaelok.exe
      C:\Windows\system32\Kdeaelok.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\SysWOW64\Libjncnc.exe
        
        C:\Windows\system32\Libjncnc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Windows\SysWOW64\Lplbjm32.exe
        
        C:\Windows\system32\Lplbjm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Lidgcclp.exe
        
        C:\Windows\system32\Lidgcclp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Llbconkd.exe
        
        C:\Windows\system32\Llbconkd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Lghgmg32.exe
        
        C:\Windows\system32\Lghgmg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Lhiddoph.exe
        
        C:\Windows\system32\Lhiddoph.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Lcohahpn.exe
        
        C:\Windows\system32\Lcohahpn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Lemdncoa.exe
        
        C:\Windows\system32\Lemdncoa.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 140
        14⤵
        Loads dropped DLL
        Program crash
        
        PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dlcdel32.dll

Filesize
7KB

MD5
a461c804fd9b6eaa43a5d3736794a822

SHA1
7c7029c1f0fff3b5a0bee9ba73047338f5750140

SHA256
784dc639493b29e0d127f4449b0d571856037982322da332f1ae801c61130de2

SHA512
c5bd4e0429172852a956e7c18021ec1fafdddaca430eba0ba0affcb71e34f82a7c241cfba8adfa3c430a60f1db98657a897e7f5ea938274f8490cd101e91c305

Download Submit
C:\Windows\SysWOW64\Kdeaelok.exe

Filesize
96KB

MD5
092bf9e96ef9f780c92aaeadb0247ff0

SHA1
adfab8ef91f690c824699e69997d6ba4ec7f8dcd

SHA256
a11bcc3ae31a4e08ffcb82f8f9a784545c8c6b352365c04c8d1319b80fc20445

SHA512
7495d09a184c24904d5e02eb5ff2d2a61645d47e1866eafd668c540f1a6b1fd369edd26e72ba65c7b64c2f3f563fb4fbd235227dd29ad3b78ace1edf13dec7a6

Download Submit
C:\Windows\SysWOW64\Kipmhc32.exe

Filesize
96KB

MD5
6dbcd55b8b770cfaaf288992a101494e

SHA1
0798a76f0b1000841b8ec813b829b5a83836fc59

SHA256
aa0471e2efa1a27b938d46bfa97953adc4b4f230b888b9778046512f5580b8b8

SHA512
3874ab280a4e89b785d79973a94d75ef196000de6a608f8d4ceba885ab9adbe19dde6a2bcb064048a57b41a78fe037910e1134e50865e00a603af6db833ee886

Download Submit
C:\Windows\SysWOW64\Kpieengb.exe

Filesize
96KB

MD5
bb73c3232bb4cf94bc7f9c145ee65001

SHA1
2a06ed4ab7a3c80824811b802ffaaffed3beb657

SHA256
6348a5dbf046f7eabfee72465fd08d11ccf340f3860851e341c2cb1f81e14783

SHA512
96a878439876f36e49d8198d5bdca06eeb1da465a7320556ba29f596e3b9b37da399a516e6f139a22332d94242e0abdf3e32648cdcf302fb5a0348b8d68b5251

Download Submit
C:\Windows\SysWOW64\Lemdncoa.exe

Filesize
96KB

MD5
10ad85b3a1f13d0fe1c5cd5157be4e90

SHA1
4b156a3f2732e98592bd23ad6894b7573a673a83

SHA256
a8a51fc1424fb06cfdb2038dca28e630ce27809d997d8025d57b3fd5c64b7181

SHA512
cf383c8fc65ce5cf8c170880acd5704669e3103e67ec3ca61c888310ad445aa7270271b0920d1963295528d65d6a203051e34893815f69f3fb65cd41c3c77a40

Download Submit
\Windows\SysWOW64\Lcohahpn.exe

Filesize
96KB

MD5
0cc937af99fb6843610410f585739255

SHA1
c660bcf2fd3cd168e0e957f66d55851f632daf75

SHA256
c6025b790c0483b91463874515388648e372f7eae3338818cbea7996843b8201

SHA512
4171b09dc18bd4b4f46374729f0f3b3a25776458621b2fae9b258f99d219e3d0661463b23bb12c0145656272ba0ef33bb6f400b7e095ebd132027c40eab0dfe0

Download Submit
\Windows\SysWOW64\Lepaccmo.exe

Filesize
96KB

MD5
45fb4a7116555efe22f33481504aa267

SHA1
19728d59b3404c0671a112a9f91cf13db57a632f

SHA256
4c57eda5a812999e380cf6d0b8d2b08675b9789660a095cc5e95318c70a036ff

SHA512
b4adf0df73fc9071c4aeb5acf89f60135f3d5c4f2bb72613d3ef4a81c6c8f3f92ccec08a14c793afeb566ca35347ae514093d49ccd57b581d7f5f132aea0f9a2

Download Submit
\Windows\SysWOW64\Lghgmg32.exe

Filesize
96KB

MD5
a12c0d4f6f8c9239918b32090751624e

SHA1
2d5f304b49e90cbc350d6c31f291ee74729f6c78

SHA256
4d0790ffc1c60a3502c1a64f7980dc16bc5a252c6c81f374ed935d19f8753deb

SHA512
c2fbba350a01f5ed7e2275ea086737b76f13545946fd0005ea62f6628deec81bb34f8055af0a79a3239a9554eb3cf1de12fb669403389595bc56a5b104018fc7

Download Submit
\Windows\SysWOW64\Lhiddoph.exe

Filesize
96KB

MD5
f1f6453edac7098dae9f177895242114

SHA1
7948c7d7f947f32f64795665d47c0b0f5743dd04

SHA256
a16f5371996d392899d9a40a28f6f81f814b5ffa406193bd55087dce5e3bec51

SHA512
fa23bce75439f3ab43d9f4edd658b42a2b2cffa320bf6b77aa9016e72defbc084bc2149e5c791bdd9882941abd146038441d7f02a45d5e9a54842b00dd0d5465

Download Submit
\Windows\SysWOW64\Libjncnc.exe

Filesize
96KB

MD5
b1a32f4f579cb970e8945e32e8b8d504

SHA1
78623f600cb73f755bb15e698d373fd7e9f03228

SHA256
552b1f1e97f61868be7364a79a605ace7126f1db437f5339b2b589d144505f58

SHA512
fa76574de0dc3f7b2f9e7ca8961bb375d6a01facca7d956fd94a5fd2e8adbfbdeef2211afd2e88b2df55a99b2e69d5ded9a221abc359f4cc0912e5982825e7cc

Download Submit
\Windows\SysWOW64\Lidgcclp.exe

Filesize
96KB

MD5
a9e961493ed5111c4f3c0f8b81b53114

SHA1
f5fd195bd8f711c88c21b8d8c67e105e8e357225

SHA256
abbda86458fccbd52fbeaab92571a0e3a9b7299364cfa8143fad8d5e2fc20302

SHA512
7a4eb02b4e74f1d51ce520e56bc60a99435f3544b38c3a3d24010d838561c1c1dda3c24178fd0ee236b872588c4ae064f1da718385d39ced34b14c5e22b5a36e

Download Submit
\Windows\SysWOW64\Llbconkd.exe

Filesize
96KB

MD5
a9c048c5fd29204edf3db2ca3cc57dc3

SHA1
f35e6f7268c59d8496101eba3d7497925d995a0f

SHA256
1e2942b1475ae707b69a463909e7c2e44d17c956495c71410a0b27e05116eb4f

SHA512
fe3a8a97ab9860d04078112d0c84aceddb9378c31ea15c45cf33e1fd0cb28053d32937d34a7ae6d9c54afa74a5343213870be12f471ae3349f5277b2e11c6f11

Download Submit
\Windows\SysWOW64\Lplbjm32.exe

Filesize
96KB

MD5
165a4a2398302a7d9dbb3ddae20c4b7d

SHA1
fde0da52829cf2c3a18cf649323a594b8c6d28b9

SHA256
798f822da1235cb4977720610a2a3e3ac8830a7b518db5a3b07a256953e166c9

SHA512
b71fdb6e3d3fcaf7732bdb101e22e1f1b6fb410b1a69ce3a7ff99f8d87dad4596be05b84280b131a8742bb13c9afa33332114646b84168c67f2887bec7c9b1e2

Download Submit
memory/1260-157-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1260-92-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1468-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1468-158-0x0000000000340000-0x000000000037F000-memory.dmp

Filesize
252KB

Download
memory/1468-185-0x0000000000340000-0x000000000037F000-memory.dmp

Filesize
252KB

Download
memory/1468-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2036-187-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2036-176-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2040-182-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/2040-130-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/2040-129-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/2040-175-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/2040-174-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2428-186-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2428-159-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2428-168-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2600-66-0x00000000003B0000-0x00000000003EF000-memory.dmp

Filesize
252KB

Download
memory/2600-108-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2624-70-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2624-123-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2640-11-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/2640-67-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2640-82-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/2640-68-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/2640-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2640-12-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/2652-84-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2652-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2688-14-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2688-27-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2688-83-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2764-142-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/2764-181-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2764-183-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/2808-41-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2808-91-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2808-49-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2980-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2980-114-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2980-109-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2980-100-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads