berbew | 42716fc677cf5919ceffc829a90b30be4d753268f306939c8cec61242b55a08c

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42716fc677cf5919ceffc829a90b30be4d753268f306939c8cec61242b55a08cN.exe
Size

96KB
MD5

c4b588ec466ad8b1f88b11fa0a3f49a0
SHA1

fbb2f66d87edb5f57aca06df731b589f3027e623
SHA256

42716fc677cf5919ceffc829a90b30be4d753268f306939c8cec61242b55a08c
SHA512

d8f5d231292756fc69b6137b4149fd2eeb7728ce0a9dc544112205652e940365bf6e04ef9c2b73e79e55ddf9a33430df2a4d6530ecec277dc37f0cbbf62484d3
SSDEEP

1536:cfApBAlkfDbjFzxp+1/jvjvHfFFfUN1Avhw6JCMd:A/kfHJzxp+FjbvfFFfUrQlMW

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	42716fc677cf5919ceffc829a90b30be4d753268f306939c8cec61242b55a08cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	42716fc677cf5919ceffc829a90b30be4d753268f306939c8cec61242b55a08cN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgaebe32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 8 IoCs

pid	Process
3032	Bjmeiq32.exe
2812	Bgaebe32.exe
2872	Bqlfaj32.exe
2192	Cmedlk32.exe
2996	Cileqlmg.exe
2636	Ckmnbg32.exe
2148	Cnmfdb32.exe
1616	Dpapaj32.exe

Loads dropped DLL 19 IoCs

pid	Process
2260	42716fc677cf5919ceffc829a90b30be4d753268f306939c8cec61242b55a08cN.exe
2260	42716fc677cf5919ceffc829a90b30be4d753268f306939c8cec61242b55a08cN.exe
3032	Bjmeiq32.exe
3032	Bjmeiq32.exe
2812	Bgaebe32.exe
2812	Bgaebe32.exe
2872	Bqlfaj32.exe
2872	Bqlfaj32.exe
2192	Cmedlk32.exe
2192	Cmedlk32.exe
2996	Cileqlmg.exe
2996	Cileqlmg.exe
2636	Ckmnbg32.exe
2636	Ckmnbg32.exe
2148	Cnmfdb32.exe
2148	Cnmfdb32.exe
2976	WerFault.exe
2976	WerFault.exe
2976	WerFault.exe

Drops file in System32 directory 26 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oabhggjd.dll	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Lmajfk32.dll	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmeiq32.exe	42716fc677cf5919ceffc829a90b30be4d753268f306939c8cec61242b55a08cN.exe
File created	C:\Windows\SysWOW64\Bgaebe32.exe	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Bjmeiq32.exe	42716fc677cf5919ceffc829a90b30be4d753268f306939c8cec61242b55a08cN.exe
File created	C:\Windows\SysWOW64\Bgmdailj.dll	42716fc677cf5919ceffc829a90b30be4d753268f306939c8cec61242b55a08cN.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Bqlfaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Bgaebe32.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Bgaebe32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Bgaebe32.exe	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Gbnbjo32.dll	Bgaebe32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2976	1616	WerFault.exe	38

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	42716fc677cf5919ceffc829a90b30be4d753268f306939c8cec61242b55a08cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	42716fc677cf5919ceffc829a90b30be4d753268f306939c8cec61242b55a08cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	42716fc677cf5919ceffc829a90b30be4d753268f306939c8cec61242b55a08cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmdailj.dll"	42716fc677cf5919ceffc829a90b30be4d753268f306939c8cec61242b55a08cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	42716fc677cf5919ceffc829a90b30be4d753268f306939c8cec61242b55a08cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	42716fc677cf5919ceffc829a90b30be4d753268f306939c8cec61242b55a08cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll"	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	42716fc677cf5919ceffc829a90b30be4d753268f306939c8cec61242b55a08cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnbjo32.dll"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckmnbg32.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 3032	2260	42716fc677cf5919ceffc829a90b30be4d753268f306939c8cec61242b55a08cN.exe	31
PID 2260 wrote to memory of 3032	2260	42716fc677cf5919ceffc829a90b30be4d753268f306939c8cec61242b55a08cN.exe	31
PID 2260 wrote to memory of 3032	2260	42716fc677cf5919ceffc829a90b30be4d753268f306939c8cec61242b55a08cN.exe	31
PID 2260 wrote to memory of 3032	2260	42716fc677cf5919ceffc829a90b30be4d753268f306939c8cec61242b55a08cN.exe	31
PID 3032 wrote to memory of 2812	3032	Bjmeiq32.exe	32
PID 3032 wrote to memory of 2812	3032	Bjmeiq32.exe	32
PID 3032 wrote to memory of 2812	3032	Bjmeiq32.exe	32
PID 3032 wrote to memory of 2812	3032	Bjmeiq32.exe	32
PID 2812 wrote to memory of 2872	2812	Bgaebe32.exe	33
PID 2812 wrote to memory of 2872	2812	Bgaebe32.exe	33
PID 2812 wrote to memory of 2872	2812	Bgaebe32.exe	33
PID 2812 wrote to memory of 2872	2812	Bgaebe32.exe	33
PID 2872 wrote to memory of 2192	2872	Bqlfaj32.exe	34
PID 2872 wrote to memory of 2192	2872	Bqlfaj32.exe	34
PID 2872 wrote to memory of 2192	2872	Bqlfaj32.exe	34
PID 2872 wrote to memory of 2192	2872	Bqlfaj32.exe	34
PID 2192 wrote to memory of 2996	2192	Cmedlk32.exe	35
PID 2192 wrote to memory of 2996	2192	Cmedlk32.exe	35
PID 2192 wrote to memory of 2996	2192	Cmedlk32.exe	35
PID 2192 wrote to memory of 2996	2192	Cmedlk32.exe	35
PID 2996 wrote to memory of 2636	2996	Cileqlmg.exe	36
PID 2996 wrote to memory of 2636	2996	Cileqlmg.exe	36
PID 2996 wrote to memory of 2636	2996	Cileqlmg.exe	36
PID 2996 wrote to memory of 2636	2996	Cileqlmg.exe	36
PID 2636 wrote to memory of 2148	2636	Ckmnbg32.exe	37
PID 2636 wrote to memory of 2148	2636	Ckmnbg32.exe	37
PID 2636 wrote to memory of 2148	2636	Ckmnbg32.exe	37
PID 2636 wrote to memory of 2148	2636	Ckmnbg32.exe	37
PID 2148 wrote to memory of 1616	2148	Cnmfdb32.exe	38
PID 2148 wrote to memory of 1616	2148	Cnmfdb32.exe	38
PID 2148 wrote to memory of 1616	2148	Cnmfdb32.exe	38
PID 2148 wrote to memory of 1616	2148	Cnmfdb32.exe	38
PID 1616 wrote to memory of 2976	1616	Dpapaj32.exe	39
PID 1616 wrote to memory of 2976	1616	Dpapaj32.exe	39
PID 1616 wrote to memory of 2976	1616	Dpapaj32.exe	39
PID 1616 wrote to memory of 2976	1616	Dpapaj32.exe	39

C:\Users\Admin\AppData\Local\Temp\42716fc677cf5919ceffc829a90b30be4d753268f306939c8cec61242b55a08cN.exe
"C:\Users\Admin\AppData\Local\Temp\42716fc677cf5919ceffc829a90b30be4d753268f306939c8cec61242b55a08cN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\Bjmeiq32.exe
  C:\Windows\system32\Bjmeiq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\SysWOW64\Bgaebe32.exe
    C:\Windows\system32\Bgaebe32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\Bqlfaj32.exe
      C:\Windows\system32\Bqlfaj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
      - C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 144
        10⤵
        Loads dropped DLL
        Program crash
        
        PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bjmeiq32.exe

Filesize
96KB

MD5
9050d9a5ceb03df0fe9c42fd10250e0d

SHA1
a791f0f6d2e3991abf8657243a34944827ef6da0

SHA256
b95466877b0b8ac61c079da570b178dafbf1e1844c0c81b5d47840e43b107b3b

SHA512
530f2c5fac8cc1004d6742b84c47725f04127db9b39a72893629a2365c9eaf83dfad1affc852e1211e0b92e61490605f1df908a6da4909eaff9248d8ee2c5aac

Download Submit
C:\Windows\SysWOW64\Cmbfdl32.dll

Filesize
7KB

MD5
dd960e5b1a6efbffd5c19cfd3b1b9dcc

SHA1
ac49d4178a98dd08a1f51a8cd174d1d7a2bade20

SHA256
fa5efa67e522b6b71a42b4fbae60bbe46e61d346ecc0094f60bcb5bf4865b8bc

SHA512
60630ff56e30af0184acca523801e8f1382d948d672aae03b5c1f2748fee87e2554cfbd6ae73a8d304967b10b152104b7792bd3f21126c00903dc7dee1ebf822

Download Submit
\Windows\SysWOW64\Bgaebe32.exe

Filesize
96KB

MD5
3b5641d1d8911edd6044bcfc5f512fc5

SHA1
602fc7522390ada76105aa9fe6e46a63a5705dfc

SHA256
68ade59d5f03332d52c60176d8d1610d3ea626d2e32b7f2fe47a8f336449c091

SHA512
7a8ad642c03f2a9cab9b190972b9566382e3d0e027a5c0446b97a145f9e971616909c672a3b9b16419472d80f89501f80f5e45ade51b6b1758c54d4965e9d878

Download Submit
\Windows\SysWOW64\Bqlfaj32.exe

Filesize
96KB

MD5
5d9685c0c74cb1656a1be709a70b6102

SHA1
2ddda7c3bd3c8d85614d6e04c46cd2214559e9f1

SHA256
02be61bc22f07ea756b21e3c6e250e740bb6b90b023185b3341aa021721ed19c

SHA512
68c8473914796a2554de378682ee954da7254a41b7fd798e44d8e77c02911834a64fe1cbce5e948062d0e818f45827e724ccfab421ad2a3b6848e232bae43324

Download Submit
\Windows\SysWOW64\Cileqlmg.exe

Filesize
96KB

MD5
00e3de4bb5e1a3c52aa16b8ec881ab85

SHA1
7ce612ff554c7a7f54bd2e6d50ae192bad17a3ad

SHA256
8541ed6e62ae9a74ba45062e8b4c454fbfda0bc40d5c7a05e83cff9ea22225ed

SHA512
12b28665c70bf6ccaf22b1e7f3f7ec9fd37bc5006cd5037b86fa125f248bbf35186339559c573b3ce79f63bcd51324529bb7504003b0267b9af1ca5be164be05

Download Submit
\Windows\SysWOW64\Ckmnbg32.exe

Filesize
96KB

MD5
3ec98440ee06160f6c145bc3c2b04c98

SHA1
c05b25aef289c9f49fcf2dbfd8808b551592f6d9

SHA256
13b77a5883b032b6508e6786433840b75d5abe52a436c27240af8817eaac8308

SHA512
494fabbb5f11fc58d76ed112cc25c4212a6cc8d0523d1b29816c10010b5cdb393de38a9a6727ea5d78882c7efcd30164cbd590197b38ed5704f6c507af524ae6

Download Submit
\Windows\SysWOW64\Cmedlk32.exe

Filesize
96KB

MD5
69b36824f832b68fced39401b92eac68

SHA1
562e089b78db0a6b26ca47685b4847cd57c4ac83

SHA256
f17d935d9b4ce68c283bf6ed57e2d3607e4e9ee9d4c2009f8f054ac1d57cd168

SHA512
5ed498716dc0a136b3924eeabef82dc09360f2b9d7f0083542b570ac8189d83ba6da2b34fa02d119b86000ab9f464fb5dccc247a71373850770b6127e703b05d

Download Submit
\Windows\SysWOW64\Cnmfdb32.exe

Filesize
96KB

MD5
026f2e2a021404d965f44ad062f7a905

SHA1
11cea6fcb9b610fda2e757897685d872da6c6111

SHA256
9eb0538c6e3ad172469918e2b288e052645f1deafbd6dba5ea596ad6cf7c19fa

SHA512
bb147970228eaf14aea62fc2eca7c6bb1d34c05c960a6ea709e34c0ccf07de8302cb693720e7c69eba9bfe9d5c4a17c0d3cae3bb72427f2b134385cc25188f6c

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
9f033e0e96499b980a42a94304c3920b

SHA1
9fa993f21a44f2463d5855d8976ff754d7b83221

SHA256
c647c1e5ae142fdda93d59f5f2ed84c65952f93c504139eae82da07b2ad30f42

SHA512
c9631539c56c2b6cc7db0a503fe325b112bfec207bfa50cc0ff50b0f7325a180ab894c077ccb08c35275ccd7a31018a76d3f406c8a179d064a0631144af23cc8

Download Submit
memory/1616-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2148-94-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2148-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2148-102-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2192-115-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2192-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2260-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2260-11-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2260-122-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2260-12-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2636-86-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2636-121-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2812-34-0x00000000005E0000-0x0000000000621000-memory.dmp

Filesize
260KB

Download
memory/2812-27-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2812-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2872-114-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2872-47-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2996-75-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2996-67-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2996-118-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3032-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3032-14-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads