berbew | 48f811250ecf5ce24af9793bf9fd42a7f1c7cdd4d7bcddadd1aa09084ed544de

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48f811250ecf5ce24af9793bf9fd42a7f1c7cdd4d7bcddadd1aa09084ed544de.exe
Size

96KB
MD5

4e1b99225711e23ad4f279e8b285146e
SHA1

487f4b1e04fd3619a9d21ee99e0ac7f12c37797c
SHA256

48f811250ecf5ce24af9793bf9fd42a7f1c7cdd4d7bcddadd1aa09084ed544de
SHA512

6af0e53bddccac495d107483565bae7fab0528ede72e9c5c34e9dc6d8c7cc48023cc245824a789510386f76f45afa0ffe75859fbe7b14be1793d3c7f637e99bd
SSDEEP

1536:gTrj3gt8bTMGZjQ0AjxrGVovJFKoKbHE/ktvduV9jojTIvjr:gT/Qt8bIun3Vo3KoK3tvd69jc0v

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	48f811250ecf5ce24af9793bf9fd42a7f1c7cdd4d7bcddadd1aa09084ed544de.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klecfkff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkmmlgik.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llpfjomf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lofifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klecfkff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llpfjomf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laahme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lofifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Libjncnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lidgcclp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhlqjone.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhlqjone.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpieengb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lidgcclp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khnapkjg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhiddoph.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laahme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	48f811250ecf5ce24af9793bf9fd42a7f1c7cdd4d7bcddadd1aa09084ed544de.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgfjggll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lghgmg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 17 IoCs

pid	Process
2764	Klecfkff.exe
2968	Kjhcag32.exe
2740	Kkjpggkn.exe
1256	Khnapkjg.exe
3060	Kkmmlgik.exe
2440	Kpieengb.exe
1048	Kdeaelok.exe
648	Libjncnc.exe
852	Llpfjomf.exe
1296	Lgfjggll.exe
108	Lidgcclp.exe
1820	Lghgmg32.exe
584	Lhiddoph.exe
1712	Laahme32.exe
2084	Lhlqjone.exe
2240	Lofifi32.exe
2512	Lepaccmo.exe

Loads dropped DLL 38 IoCs

pid	Process
296	48f811250ecf5ce24af9793bf9fd42a7f1c7cdd4d7bcddadd1aa09084ed544de.exe
296	48f811250ecf5ce24af9793bf9fd42a7f1c7cdd4d7bcddadd1aa09084ed544de.exe
2764	Klecfkff.exe
2764	Klecfkff.exe
2968	Kjhcag32.exe
2968	Kjhcag32.exe
2740	Kkjpggkn.exe
2740	Kkjpggkn.exe
1256	Khnapkjg.exe
1256	Khnapkjg.exe
3060	Kkmmlgik.exe
3060	Kkmmlgik.exe
2440	Kpieengb.exe
2440	Kpieengb.exe
1048	Kdeaelok.exe
1048	Kdeaelok.exe
648	Libjncnc.exe
648	Libjncnc.exe
852	Llpfjomf.exe
852	Llpfjomf.exe
1296	Lgfjggll.exe
1296	Lgfjggll.exe
108	Lidgcclp.exe
108	Lidgcclp.exe
1820	Lghgmg32.exe
1820	Lghgmg32.exe
584	Lhiddoph.exe
584	Lhiddoph.exe
1712	Laahme32.exe
1712	Laahme32.exe
2084	Lhlqjone.exe
2084	Lhlqjone.exe
2240	Lofifi32.exe
2240	Lofifi32.exe
1612	WerFault.exe
1612	WerFault.exe
1612	WerFault.exe
1612	WerFault.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hlekjpbi.dll	Kjhcag32.exe
File created	C:\Windows\SysWOW64\Khnapkjg.exe	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Mbbhfl32.dll	Kpieengb.exe
File created	C:\Windows\SysWOW64\Ipbkjl32.dll	Kdeaelok.exe
File opened for modification	C:\Windows\SysWOW64\Lhiddoph.exe	Lghgmg32.exe
File created	C:\Windows\SysWOW64\Nmdeem32.dll	Lghgmg32.exe
File created	C:\Windows\SysWOW64\Klecfkff.exe	48f811250ecf5ce24af9793bf9fd42a7f1c7cdd4d7bcddadd1aa09084ed544de.exe
File created	C:\Windows\SysWOW64\Pdnfmn32.dll	48f811250ecf5ce24af9793bf9fd42a7f1c7cdd4d7bcddadd1aa09084ed544de.exe
File opened for modification	C:\Windows\SysWOW64\Khnapkjg.exe	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Ogegmkqk.dll	Lidgcclp.exe
File created	C:\Windows\SysWOW64\Lofifi32.exe	Lhlqjone.exe
File created	C:\Windows\SysWOW64\Oopqjabc.dll	Lhlqjone.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Lofifi32.exe
File created	C:\Windows\SysWOW64\Gpcafifg.dll	Klecfkff.exe
File created	C:\Windows\SysWOW64\Llpfjomf.exe	Libjncnc.exe
File opened for modification	C:\Windows\SysWOW64\Llpfjomf.exe	Libjncnc.exe
File created	C:\Windows\SysWOW64\Libjncnc.exe	Kdeaelok.exe
File opened for modification	C:\Windows\SysWOW64\Lgfjggll.exe	Llpfjomf.exe
File created	C:\Windows\SysWOW64\Lhiddoph.exe	Lghgmg32.exe
File created	C:\Windows\SysWOW64\Ppdbln32.dll	Lhiddoph.exe
File created	C:\Windows\SysWOW64\Onkckhkp.dll	Laahme32.exe
File opened for modification	C:\Windows\SysWOW64\Klecfkff.exe	48f811250ecf5ce24af9793bf9fd42a7f1c7cdd4d7bcddadd1aa09084ed544de.exe
File created	C:\Windows\SysWOW64\Jkbcekmn.dll	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Onpeobjf.dll	Khnapkjg.exe
File opened for modification	C:\Windows\SysWOW64\Kpieengb.exe	Kkmmlgik.exe
File created	C:\Windows\SysWOW64\Pihbeaea.dll	Kkmmlgik.exe
File created	C:\Windows\SysWOW64\Kdeaelok.exe	Kpieengb.exe
File opened for modification	C:\Windows\SysWOW64\Lghgmg32.exe	Lidgcclp.exe
File opened for modification	C:\Windows\SysWOW64\Lhlqjone.exe	Laahme32.exe
File created	C:\Windows\SysWOW64\Kjhcag32.exe	Klecfkff.exe
File created	C:\Windows\SysWOW64\Kkmmlgik.exe	Khnapkjg.exe
File opened for modification	C:\Windows\SysWOW64\Kkmmlgik.exe	Khnapkjg.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Lofifi32.exe
File created	C:\Windows\SysWOW64\Lghgmg32.exe	Lidgcclp.exe
File opened for modification	C:\Windows\SysWOW64\Laahme32.exe	Lhiddoph.exe
File opened for modification	C:\Windows\SysWOW64\Lofifi32.exe	Lhlqjone.exe
File opened for modification	C:\Windows\SysWOW64\Kjhcag32.exe	Klecfkff.exe
File opened for modification	C:\Windows\SysWOW64\Kkjpggkn.exe	Kjhcag32.exe
File opened for modification	C:\Windows\SysWOW64\Kdeaelok.exe	Kpieengb.exe
File created	C:\Windows\SysWOW64\Hfopbgif.dll	Llpfjomf.exe
File created	C:\Windows\SysWOW64\Lidgcclp.exe	Lgfjggll.exe
File opened for modification	C:\Windows\SysWOW64\Lidgcclp.exe	Lgfjggll.exe
File created	C:\Windows\SysWOW64\Dneoankp.dll	Lgfjggll.exe
File created	C:\Windows\SysWOW64\Kkjpggkn.exe	Kjhcag32.exe
File opened for modification	C:\Windows\SysWOW64\Libjncnc.exe	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Bccjfi32.dll	Libjncnc.exe
File created	C:\Windows\SysWOW64\Lhlqjone.exe	Laahme32.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Lofifi32.exe
File created	C:\Windows\SysWOW64\Kpieengb.exe	Kkmmlgik.exe
File created	C:\Windows\SysWOW64\Lgfjggll.exe	Llpfjomf.exe
File created	C:\Windows\SysWOW64\Laahme32.exe	Lhiddoph.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1612	2512	WerFault.exe	46

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libjncnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laahme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lofifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjhcag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khnapkjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkmmlgik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeaelok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghgmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48f811250ecf5ce24af9793bf9fd42a7f1c7cdd4d7bcddadd1aa09084ed544de.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkjpggkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgfjggll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhiddoph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhlqjone.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klecfkff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpfjomf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpieengb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lidgcclp.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccjfi32.dll"	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlekjpbi.dll"	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khnapkjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lhlqjone.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	48f811250ecf5ce24af9793bf9fd42a7f1c7cdd4d7bcddadd1aa09084ed544de.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llpfjomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lhlqjone.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	48f811250ecf5ce24af9793bf9fd42a7f1c7cdd4d7bcddadd1aa09084ed544de.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbkjl32.dll"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dneoankp.dll"	Lgfjggll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Lofifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpieengb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lidgcclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lofifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgfjggll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	48f811250ecf5ce24af9793bf9fd42a7f1c7cdd4d7bcddadd1aa09084ed544de.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbcekmn.dll"	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laahme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lofifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onpeobjf.dll"	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pihbeaea.dll"	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfopbgif.dll"	Llpfjomf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lidgcclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpcafifg.dll"	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdeem32.dll"	Lghgmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	48f811250ecf5ce24af9793bf9fd42a7f1c7cdd4d7bcddadd1aa09084ed544de.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnfmn32.dll"	48f811250ecf5ce24af9793bf9fd42a7f1c7cdd4d7bcddadd1aa09084ed544de.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oopqjabc.dll"	Lhlqjone.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	48f811250ecf5ce24af9793bf9fd42a7f1c7cdd4d7bcddadd1aa09084ed544de.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogegmkqk.dll"	Lidgcclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppdbln32.dll"	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkckhkp.dll"	Laahme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klecfkff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llpfjomf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laahme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpieengb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lghgmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kjhcag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbhfl32.dll"	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lghgmg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 296 wrote to memory of 2764	296	48f811250ecf5ce24af9793bf9fd42a7f1c7cdd4d7bcddadd1aa09084ed544de.exe	30
PID 296 wrote to memory of 2764	296	48f811250ecf5ce24af9793bf9fd42a7f1c7cdd4d7bcddadd1aa09084ed544de.exe	30
PID 296 wrote to memory of 2764	296	48f811250ecf5ce24af9793bf9fd42a7f1c7cdd4d7bcddadd1aa09084ed544de.exe	30
PID 296 wrote to memory of 2764	296	48f811250ecf5ce24af9793bf9fd42a7f1c7cdd4d7bcddadd1aa09084ed544de.exe	30
PID 2764 wrote to memory of 2968	2764	Klecfkff.exe	31
PID 2764 wrote to memory of 2968	2764	Klecfkff.exe	31
PID 2764 wrote to memory of 2968	2764	Klecfkff.exe	31
PID 2764 wrote to memory of 2968	2764	Klecfkff.exe	31
PID 2968 wrote to memory of 2740	2968	Kjhcag32.exe	32
PID 2968 wrote to memory of 2740	2968	Kjhcag32.exe	32
PID 2968 wrote to memory of 2740	2968	Kjhcag32.exe	32
PID 2968 wrote to memory of 2740	2968	Kjhcag32.exe	32
PID 2740 wrote to memory of 1256	2740	Kkjpggkn.exe	33
PID 2740 wrote to memory of 1256	2740	Kkjpggkn.exe	33
PID 2740 wrote to memory of 1256	2740	Kkjpggkn.exe	33
PID 2740 wrote to memory of 1256	2740	Kkjpggkn.exe	33
PID 1256 wrote to memory of 3060	1256	Khnapkjg.exe	34
PID 1256 wrote to memory of 3060	1256	Khnapkjg.exe	34
PID 1256 wrote to memory of 3060	1256	Khnapkjg.exe	34
PID 1256 wrote to memory of 3060	1256	Khnapkjg.exe	34
PID 3060 wrote to memory of 2440	3060	Kkmmlgik.exe	35
PID 3060 wrote to memory of 2440	3060	Kkmmlgik.exe	35
PID 3060 wrote to memory of 2440	3060	Kkmmlgik.exe	35
PID 3060 wrote to memory of 2440	3060	Kkmmlgik.exe	35
PID 2440 wrote to memory of 1048	2440	Kpieengb.exe	36
PID 2440 wrote to memory of 1048	2440	Kpieengb.exe	36
PID 2440 wrote to memory of 1048	2440	Kpieengb.exe	36
PID 2440 wrote to memory of 1048	2440	Kpieengb.exe	36
PID 1048 wrote to memory of 648	1048	Kdeaelok.exe	37
PID 1048 wrote to memory of 648	1048	Kdeaelok.exe	37
PID 1048 wrote to memory of 648	1048	Kdeaelok.exe	37
PID 1048 wrote to memory of 648	1048	Kdeaelok.exe	37
PID 648 wrote to memory of 852	648	Libjncnc.exe	38
PID 648 wrote to memory of 852	648	Libjncnc.exe	38
PID 648 wrote to memory of 852	648	Libjncnc.exe	38
PID 648 wrote to memory of 852	648	Libjncnc.exe	38
PID 852 wrote to memory of 1296	852	Llpfjomf.exe	39
PID 852 wrote to memory of 1296	852	Llpfjomf.exe	39
PID 852 wrote to memory of 1296	852	Llpfjomf.exe	39
PID 852 wrote to memory of 1296	852	Llpfjomf.exe	39
PID 1296 wrote to memory of 108	1296	Lgfjggll.exe	40
PID 1296 wrote to memory of 108	1296	Lgfjggll.exe	40
PID 1296 wrote to memory of 108	1296	Lgfjggll.exe	40
PID 1296 wrote to memory of 108	1296	Lgfjggll.exe	40
PID 108 wrote to memory of 1820	108	Lidgcclp.exe	41
PID 108 wrote to memory of 1820	108	Lidgcclp.exe	41
PID 108 wrote to memory of 1820	108	Lidgcclp.exe	41
PID 108 wrote to memory of 1820	108	Lidgcclp.exe	41
PID 1820 wrote to memory of 584	1820	Lghgmg32.exe	42
PID 1820 wrote to memory of 584	1820	Lghgmg32.exe	42
PID 1820 wrote to memory of 584	1820	Lghgmg32.exe	42
PID 1820 wrote to memory of 584	1820	Lghgmg32.exe	42
PID 584 wrote to memory of 1712	584	Lhiddoph.exe	43
PID 584 wrote to memory of 1712	584	Lhiddoph.exe	43
PID 584 wrote to memory of 1712	584	Lhiddoph.exe	43
PID 584 wrote to memory of 1712	584	Lhiddoph.exe	43
PID 1712 wrote to memory of 2084	1712	Laahme32.exe	44
PID 1712 wrote to memory of 2084	1712	Laahme32.exe	44
PID 1712 wrote to memory of 2084	1712	Laahme32.exe	44
PID 1712 wrote to memory of 2084	1712	Laahme32.exe	44
PID 2084 wrote to memory of 2240	2084	Lhlqjone.exe	45
PID 2084 wrote to memory of 2240	2084	Lhlqjone.exe	45
PID 2084 wrote to memory of 2240	2084	Lhlqjone.exe	45
PID 2084 wrote to memory of 2240	2084	Lhlqjone.exe	45

C:\Users\Admin\AppData\Local\Temp\48f811250ecf5ce24af9793bf9fd42a7f1c7cdd4d7bcddadd1aa09084ed544de.exe
"C:\Users\Admin\AppData\Local\Temp\48f811250ecf5ce24af9793bf9fd42a7f1c7cdd4d7bcddadd1aa09084ed544de.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:296
- C:\Windows\SysWOW64\Klecfkff.exe
  C:\Windows\system32\Klecfkff.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\Kjhcag32.exe
    C:\Windows\system32\Kjhcag32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\SysWOW64\Kkjpggkn.exe
      C:\Windows\system32\Kkjpggkn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\Khnapkjg.exe
        
        C:\Windows\system32\Khnapkjg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1256
      - C:\Windows\SysWOW64\Kkmmlgik.exe
        
        C:\Windows\system32\Kkmmlgik.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Kpieengb.exe
        
        C:\Windows\system32\Kpieengb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Kdeaelok.exe
        
        C:\Windows\system32\Kdeaelok.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Libjncnc.exe
        
        C:\Windows\system32\Libjncnc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Windows\SysWOW64\Llpfjomf.exe
        
        C:\Windows\system32\Llpfjomf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Lgfjggll.exe
        
        C:\Windows\system32\Lgfjggll.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Lidgcclp.exe
        
        C:\Windows\system32\Lidgcclp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:108
        
        C:\Windows\SysWOW64\Lghgmg32.exe
        
        C:\Windows\system32\Lghgmg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Lhiddoph.exe
        
        C:\Windows\system32\Lhiddoph.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:584
        
        C:\Windows\SysWOW64\Laahme32.exe
        
        C:\Windows\system32\Laahme32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Lhlqjone.exe
        
        C:\Windows\system32\Lhlqjone.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Lofifi32.exe
        
        C:\Windows\system32\Lofifi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 140
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kdeaelok.exe

Filesize
96KB

MD5
94920eb304ab06b5f9c61db473253cf6

SHA1
a94506b66ad0e38361342937c7eef63b6a79e0c7

SHA256
470a26d92684842f4a32f2640727caab75ab06c36f17ac882b9e7eb466c8505d

SHA512
e8b3dfe0704d58df422a8beeebc362d1d5926e3d555f97a021da97c39b6e95b4630771f579e38461972c3982477c2abfbd8c0bdc24ea8319e3413f3f6a8a3957

Download Submit
C:\Windows\SysWOW64\Kjhcag32.exe

Filesize
96KB

MD5
56f3fa0d83ae7a465ff66ab826e31474

SHA1
a0bccf9b96d4f63e7dfb46c74f861ed01f705ab9

SHA256
e769477ca59f8ab332528e1146a4b5d20161ffccfb16655f7e7d8a5ce2f321ae

SHA512
526728b5df0ca18d253e7703a768219aed634e6d6b5d11c4299ee9ee613a540d66d8dd1c5962b4645a656176937315148725df8bc4a2cfeebc82a1be87ca5588

Download Submit
C:\Windows\SysWOW64\Kkmmlgik.exe

Filesize
96KB

MD5
a4fd12e390e92cb4a4c310263a473106

SHA1
f23ed5a3bad69c5fde8d61999754adf514f5d297

SHA256
85c25171680e587e80da8f61a0af444a2ee70f7eae8ef2607fe8b5397299ed77

SHA512
3f1ef23f88d4dbc57b05e34b5dd1b775a70723b813d680c2596ccc2ba2a076ca027741851da6b20b0a3fdd4b4c8c0f8d73a12a54890f56919ce47f01423780ae

Download Submit
C:\Windows\SysWOW64\Klecfkff.exe

Filesize
96KB

MD5
c4038031ae2c46dc4bf12c642096da1f

SHA1
366c7ba603f356888c92a8558889592bbb7f2649

SHA256
f6082e071d5b9f214b21f995f64b236066af2b35066786c58b954b3cb15de119

SHA512
ab4b468936fd48e2a74fed957633c6d0e52fc28e3cfc1ebc6543b2976b2c799cce9fd4c46e661ee3828c397c973744ad8aa1da0cf2892bd391c66400cc5527cd

Download Submit
C:\Windows\SysWOW64\Lepaccmo.exe

Filesize
96KB

MD5
c794fac04486c9f86f7adaa523818ea0

SHA1
2d2172c72e9c2d16fd3438ce1806f67cbdd3c73e

SHA256
4a24c4a47137cad0bc1e77bdaf1f5b150c2a6e2fff97c8263af0846132c5ec15

SHA512
a164b61678856712dc1ca2b7a1e9573819b917173f5a3152a8b87d1284b1c9298dc353977d2891425a8f4b6665a9de29476d4b6661e162fe44e8fa3e6754cde0

Download Submit
C:\Windows\SysWOW64\Lhiddoph.exe

Filesize
96KB

MD5
c394250ee26e6b30fc15dfe5a834d4c0

SHA1
b69aeef53ce165dfbf2dda93a50b5e7339ba0e56

SHA256
61daebb958397348d18f5817d33fbf39a01af4ee64c8e4e3c2227e0e9c9830d6

SHA512
b4567ac55132bfe5b16fd6fc6e0cb64c392ed23a0f60016d07d1faa33ee090925b1dd27a547a9a05ce8475738ed2ea8682f2dfc8d72741385ebd7377b2412355

Download Submit
C:\Windows\SysWOW64\Lidgcclp.exe

Filesize
96KB

MD5
a803509ee8175bfb450cd1cfee6f4471

SHA1
c1d99fc727a22494f6483671918cce00e324da91

SHA256
133bb8c17836fa7e7e6d9d33a8cb3ed1422c17295516e7a79c639bee5b24332a

SHA512
4398ab33af3d42673db54fe13d52af7c4d0c122b7f51f9911d82f9616ab3c63b93ef76ec4be9539ae963fcf8da5890447d1e630293b3495acd871e422a42f968

Download Submit
C:\Windows\SysWOW64\Onpeobjf.dll

Filesize
7KB

MD5
d216710a4646195abd23f6534a6ee222

SHA1
cbc183eb1012a19c615935704ffb0d890e65de8a

SHA256
0acba6c51d538f8f445fe6e4f5c780b86dd047fbab9e123c35ff1b789d4d37bd

SHA512
53f218230b30326502b91e4242216ef0a3b3710ffa9dd61c6e8a64d34ce72519c965aa43fb375a17c11571f46ba9d2efec5bcb001e8eadf6c99b54bd2ad62d0d

Download Submit
\Windows\SysWOW64\Khnapkjg.exe

Filesize
96KB

MD5
1fb1fb5aba4a7510d7febf8a68f7b4fe

SHA1
1078848b8e9fcdcd3fbeaad2dd87aa23a1e3e61e

SHA256
8f7ad9773a1c7c12f6f0c220f080f3ce60e08c459a5a43fd94fa8911b32dcd98

SHA512
a39cb3596febda7619c67b4e68824a28c3a49cf8d8260a94a0df2aa945e70b9980feeb2b8fc381d11f70792a20b12963c90c7a66b2f18e8cd41e30b244e77ff9

Download Submit
\Windows\SysWOW64\Kkjpggkn.exe

Filesize
96KB

MD5
8db4bb581e7ba53d7aff69b8382f4b9a

SHA1
3f1759313519359a0ae20104ed7c72b672108e3c

SHA256
b98d56e20fdde99f4ec6bfd5b4c86de14ac28b6031a2413ae7baf4fb03cc796e

SHA512
b91566a6e8988ceaf36b978498a28c64c6d0feed19f6304a7dcca0c26d17ce75ca42595f5ef7dc9f5da7ffd2a2b5870d4ccd5dbc1228bec72d3c053fb66eee98

Download Submit
\Windows\SysWOW64\Kpieengb.exe

Filesize
96KB

MD5
7a4beb017492743283378f82689e4bce

SHA1
3399f5bd9fc3bc08a896504e61d4f870dbd0a421

SHA256
7c387bad7aec2c622f94449aa57dea0fae8883418827e966b94daac69f2a22da

SHA512
f64e41bdba2cd4430def9b01bea1e83a9de876e35d105442b8d0a92c97a22a1cc96e766d694e0733a10fb2d2d1c3bc7b21c8084c5153a9106cee45490fd4c13c

Download Submit
\Windows\SysWOW64\Laahme32.exe

Filesize
96KB

MD5
5ad866d7c11c7dbb2c48ec70076d9878

SHA1
196efcc4876601f2888b04d97be3eb4628832734

SHA256
83de0cc0085d04e5fec2cf8752e74409475bdf29152b6439401ee3aa6aef3d51

SHA512
ab0167ba552cdc8f257761aa4dea9b1aeb71ac552e86e55a625f027b0af213c4358203a0d6e0ad34980ab5a144c436b24c3265358a8d980362882bcdbe0c86d9

Download Submit
\Windows\SysWOW64\Lgfjggll.exe

Filesize
96KB

MD5
2ec59d8281120890a4ad84dc0d215763

SHA1
a2dfe9bd6e1e480820b683af6a2efd597760b66f

SHA256
249c3eef5f41e0db3ec3a75901522ff878a275a2a19704d4a3ca37466779389f

SHA512
3830f5c206022f19a5674c6acb74d63421d2a1d465eee2b0b5781b7325d0ded666a57f4faf3acca28b8f86d31ee297014d9e12019a2cf24364ad8f36856f32dd

Download Submit
\Windows\SysWOW64\Lghgmg32.exe

Filesize
96KB

MD5
1381f84b3c74a74d0007ac71724cf6c3

SHA1
d3719ba2f5903f1faa248a4b3314e074958a4583

SHA256
c537c0603ed33e5f28808bbf1cbb1bee70efe8aef8603e039e518410b94b686d

SHA512
9287c03866afe9887dabc6cfe65ae572d5a077e86c65ab0ff6360f5988f86dd5edcb3264d4cf6d605aa55b4cdfdbf753c2757c1a645191425796b8fe06a77a3d

Download Submit
\Windows\SysWOW64\Lhlqjone.exe

Filesize
96KB

MD5
dd3304ed48e25cb7a814587016c438fe

SHA1
a7c1b4ea1f5ddd6b107cf73a8ab044874e3cb24d

SHA256
1203933a5de00af66079354278ed286ef39216d9c541213af68a035faeb234a9

SHA512
be3004a1be216dd5f22db965bebbc168ad881c09d775eb9e47347ab263b13030867020e51c21be40e15c49102ced9b09fbb6f5a8f286b02cbc6ff803d33082f9

Download Submit
\Windows\SysWOW64\Libjncnc.exe

Filesize
96KB

MD5
2a83d6728f7de42e623276aa2243ea11

SHA1
cf37350d4ae2c7b6334afa06d9c79fb1a8c7902c

SHA256
0a7981655c9caeeddd29f1cb5617fd19206db98e719c5f89fa86310ad37db1a1

SHA512
39adb91a23acc5d9c7acbb5e81f8d65e3b7010aed4041177084d869ae8ad57723f855bd5dbbf52cd1204c5163dbdd866d2c38d14fceefae9eec482b2e3e1d040

Download Submit
\Windows\SysWOW64\Llpfjomf.exe

Filesize
96KB

MD5
b3b828ae146a1ac98e02f70ab6737710

SHA1
6e86ce6e2832278b875a7d3e70ba13a90ab86c93

SHA256
937714e4216d530ff4ca0226cd42531426a95f53c89e8a2da7bd1740800ce8ba

SHA512
df284d617c9bff159a47f7bc8dcc5d89ede5950136fa0c8a747ce5b0fce0daf987de26ad7be9ed876bd76831188394523035c719d084787d0fa6e768be9fc371

Download Submit
\Windows\SysWOW64\Lofifi32.exe

Filesize
96KB

MD5
cd5823f414d56102e23e54df63fd93ec

SHA1
b6c64a9f00bf9bcc5d852b7e7976fdc217cc9e52

SHA256
f7b25ba55f94aa0f1ac539afe39ff80f18dbe3bd7cd62fb3617b6a42f906c11f

SHA512
9c3635efaf0f17b7ff489bb8ff83a862a689b179bb7abcb3bf6b7975868f519f848fb1e9cd33429f312c0aa5183007d5ed72fdff32dc0e510cc5a807af8a6987

Download Submit
memory/108-154-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/108-146-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/108-226-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/296-238-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/296-24-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/296-23-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/296-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/584-181-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/584-225-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/584-173-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/648-229-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/648-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/852-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/852-228-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1048-230-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1048-94-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1256-233-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1256-63-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1296-227-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1296-137-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1712-236-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1820-171-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2084-207-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2084-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2084-199-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2240-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2440-81-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2440-231-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2512-237-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2512-222-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2740-234-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2740-42-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2740-50-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2764-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2764-26-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2968-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2968-36-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/2968-235-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3060-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads