berbew | 6347776f01aa38f6b48609f3b7f9caee81a9323be0a135f54bc8a2c7cb662807

Analysis

max time kernel
103s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6347776f01aa38f6b48609f3b7f9caee81a9323be0a135f54bc8a2c7cb662807N.exe
Size

56KB
MD5

bfbfd46d5b27250d3a44f11fa39ba980
SHA1

3780126e7d81a8faa22811ce91093722eecb1507
SHA256

6347776f01aa38f6b48609f3b7f9caee81a9323be0a135f54bc8a2c7cb662807
SHA512

e5b31fb574c99a526385ca39a0cdfefeaf0e526366fa6b89a009a4c8ed614896f80404039f343ad5878418485d4c091d63fa60eee78f70b7dbacaa7e9c1482e9
SSDEEP

1536:TNkPKfEALS5OWmPgQ3PbPGyIZb1Z2gvLxff:+PKfEA/WmPxPj2Z2ALlf

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6347776f01aa38f6b48609f3b7f9caee81a9323be0a135f54bc8a2c7cb662807N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6347776f01aa38f6b48609f3b7f9caee81a9323be0a135f54bc8a2c7cb662807N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 10 IoCs

pid	Process
876	Dfnjafap.exe
2708	Dmgbnq32.exe
3888	Deokon32.exe
2008	Dhmgki32.exe
3864	Dfpgffpm.exe
4880	Dmjocp32.exe
5048	Deagdn32.exe
1160	Dhocqigp.exe
4540	Dknpmdfc.exe
4744	Dmllipeg.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	6347776f01aa38f6b48609f3b7f9caee81a9323be0a135f54bc8a2c7cb662807N.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	6347776f01aa38f6b48609f3b7f9caee81a9323be0a135f54bc8a2c7cb662807N.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	6347776f01aa38f6b48609f3b7f9caee81a9323be0a135f54bc8a2c7cb662807N.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
548	4744	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6347776f01aa38f6b48609f3b7f9caee81a9323be0a135f54bc8a2c7cb662807N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6347776f01aa38f6b48609f3b7f9caee81a9323be0a135f54bc8a2c7cb662807N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	6347776f01aa38f6b48609f3b7f9caee81a9323be0a135f54bc8a2c7cb662807N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6347776f01aa38f6b48609f3b7f9caee81a9323be0a135f54bc8a2c7cb662807N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6347776f01aa38f6b48609f3b7f9caee81a9323be0a135f54bc8a2c7cb662807N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	6347776f01aa38f6b48609f3b7f9caee81a9323be0a135f54bc8a2c7cb662807N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6347776f01aa38f6b48609f3b7f9caee81a9323be0a135f54bc8a2c7cb662807N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 876	1964	6347776f01aa38f6b48609f3b7f9caee81a9323be0a135f54bc8a2c7cb662807N.exe	86
PID 1964 wrote to memory of 876	1964	6347776f01aa38f6b48609f3b7f9caee81a9323be0a135f54bc8a2c7cb662807N.exe	86
PID 1964 wrote to memory of 876	1964	6347776f01aa38f6b48609f3b7f9caee81a9323be0a135f54bc8a2c7cb662807N.exe	86
PID 876 wrote to memory of 2708	876	Dfnjafap.exe	87
PID 876 wrote to memory of 2708	876	Dfnjafap.exe	87
PID 876 wrote to memory of 2708	876	Dfnjafap.exe	87
PID 2708 wrote to memory of 3888	2708	Dmgbnq32.exe	88
PID 2708 wrote to memory of 3888	2708	Dmgbnq32.exe	88
PID 2708 wrote to memory of 3888	2708	Dmgbnq32.exe	88
PID 3888 wrote to memory of 2008	3888	Deokon32.exe	89
PID 3888 wrote to memory of 2008	3888	Deokon32.exe	89
PID 3888 wrote to memory of 2008	3888	Deokon32.exe	89
PID 2008 wrote to memory of 3864	2008	Dhmgki32.exe	90
PID 2008 wrote to memory of 3864	2008	Dhmgki32.exe	90
PID 2008 wrote to memory of 3864	2008	Dhmgki32.exe	90
PID 3864 wrote to memory of 4880	3864	Dfpgffpm.exe	91
PID 3864 wrote to memory of 4880	3864	Dfpgffpm.exe	91
PID 3864 wrote to memory of 4880	3864	Dfpgffpm.exe	91
PID 4880 wrote to memory of 5048	4880	Dmjocp32.exe	92
PID 4880 wrote to memory of 5048	4880	Dmjocp32.exe	92
PID 4880 wrote to memory of 5048	4880	Dmjocp32.exe	92
PID 5048 wrote to memory of 1160	5048	Deagdn32.exe	93
PID 5048 wrote to memory of 1160	5048	Deagdn32.exe	93
PID 5048 wrote to memory of 1160	5048	Deagdn32.exe	93
PID 1160 wrote to memory of 4540	1160	Dhocqigp.exe	94
PID 1160 wrote to memory of 4540	1160	Dhocqigp.exe	94
PID 1160 wrote to memory of 4540	1160	Dhocqigp.exe	94
PID 4540 wrote to memory of 4744	4540	Dknpmdfc.exe	95
PID 4540 wrote to memory of 4744	4540	Dknpmdfc.exe	95
PID 4540 wrote to memory of 4744	4540	Dknpmdfc.exe	95

C:\Users\Admin\AppData\Local\Temp\6347776f01aa38f6b48609f3b7f9caee81a9323be0a135f54bc8a2c7cb662807N.exe
"C:\Users\Admin\AppData\Local\Temp\6347776f01aa38f6b48609f3b7f9caee81a9323be0a135f54bc8a2c7cb662807N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\Dfnjafap.exe
  C:\Windows\system32\Dfnjafap.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Windows\SysWOW64\Dmgbnq32.exe
    C:\Windows\system32\Dmgbnq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\Deokon32.exe
      C:\Windows\system32\Deokon32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3888
    - - C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
      - C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 404
        12⤵
        Program crash
        
        PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4744 -ip 4744
1⤵
PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Deagdn32.exe

Filesize
56KB

MD5
599739bc223e4321f2d20ead6f668555

SHA1
adb5599a76c4c2e3c4788ca5fe21b05700f8f744

SHA256
49b22252e97a1d28e43750d55b2a98cd9f38facfd6675d6e756b61ca9421cbfa

SHA512
331ec0647b071ffd4972d210ba3b7eea34ee6b5708b19790698406c7de1a727a5e80ff7d976ff4700b3b75e51c1d5acdf6eba525a7e1913d0421b06cbb282226

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
56KB

MD5
63194ce560abab0d0842b2013f5f60a3

SHA1
7c5ce651b7997ef4b9133a22511f374ede4dfc08

SHA256
c6dce8e81fbb45f156d8f1e3927e72f6397fcd3aa7f9e39738f55d59d3e0018f

SHA512
acbb2c0eb297205698471ca2db8f4125a2f9ebf69a64375bc811e661360853180d0380057143be5859e9acce9bceb5cc2f0086d254e6c3c750b16de97958470d

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
56KB

MD5
91f7af503f88aec81a02e456f9ee7183

SHA1
fc8474925da7dcdc435b11f5e661726605f3550e

SHA256
abe89267da586ed394e7a6c902ca0e975395d5d3528a8498e05af2710f0214e8

SHA512
2c422ed7fa7514cbbe688ecb0a2a6bd8b0adffd058667f3058f410f261552587ce7541205c6481e243b49cba6903d79b801da49afe655c94a9afc85c64936af4

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
56KB

MD5
1887e5168bb880b29507802534f31b55

SHA1
24c346129b45fdc1c820a372f46420fca9f37056

SHA256
9a55b78678846bec14b17ba24775b64442d0c5596d292f8d3dc3734edd19ab0c

SHA512
5c19023f1b66a6bc4ffdc2875b3a18322bd50937241ee89d0faa8529f3cb786548e0f6e1dd4899f244d9cfdee1966dd07f1c892da17bde931f0146df6967c8b2

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
56KB

MD5
b42c78af1bdfd4a274943fa0fe4ffcf9

SHA1
ed18c3811b86299747d2a386d8950fff62e706c5

SHA256
a8ab939449a872607c3aec89efaa0000f3716c6db3a9a2204fd71d912599721a

SHA512
b42f389cdac861f384a1b2bbcefce871f31e0fd4b1e51e2080ce40e9d0de384b41a6ae5c846719f7d5eccdf1e4b2cf6b9150b6fcf53efee888000ac5924401cb

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
56KB

MD5
558f8cdb2a976467fcdad48d2efe126f

SHA1
b7bafc483cdd5dc1a04a96826eff8c50da18224a

SHA256
ad628f9e3b1c5c96447385e1934dd68b3e34456039f5c007e0680785263fb701

SHA512
971b3751909b64ef9c627a3f6c9bf6775b3b0229c38b4c2436659658db82c0a353ab73572fd1d97012e185f2bae8a956d3634130cdb2818999c39423c418fa68

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
56KB

MD5
423c38da9eb72b7ffefe0a4518620482

SHA1
baa50966e2c89187cd94edeffc668f533c512cdc

SHA256
aff2753646780da05746aa639d959ec8a11ed48ee467116078c09c5fdeb11f46

SHA512
aa5571fdb0bcea10482aee0f09939c28d2fcff231a642b73369c6069275aed3f42f7df9358c3415064a1159cc4be5da38cd45f55fd6509995377418feab744fd

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
56KB

MD5
9af472be75dcab9b03746528b55f77f3

SHA1
4dd7246508088ef148d63e250c6151f59c08f21d

SHA256
19cbfd51db4c486bd8bff96144e759ef74c05ff73552bf5579867229603e62e8

SHA512
eaa3bf018446fc9a9e4483f4a77eb2930ff2994faf5ec66fb981a040ebabf6f698833516ac44336f9b8dd4c3f2f9fbe9b4b4fcaec56a71c5c7f8a6d6448331ef

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
56KB

MD5
45df880c0bd8edac22c03866a2831529

SHA1
29ae7db5f8bdf77893423287a99d652c47168b20

SHA256
98959c165d41290eac37417f04d87f3a211cb4b67e8ee9494eb1b2626c4d6855

SHA512
38586179e84ee7ed5337162600158f45b2b90c0f3d960c2a583b79fc9696a4052caeee5940e81721affb600ed34c6c00e8bee930273bfe1f7045eadfb49221fd

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
56KB

MD5
c8b2d36eeae6fedb06662144690dd1e4

SHA1
49cba21ee229a1264c84931057250688425eb1b7

SHA256
41ef14168f0211d5a62ee4ff19d84ebbe2513f121ec5b48864fcb45eabe28a16

SHA512
1dc89bc3709db05033a15bcac33aef8b3ae0816f7cdd39940f8d62151ba5e7a26773874e73a4a697bcc71525d851e17ca87ff25e8093d6561b5baa66e9cb719a

Download Submit
memory/876-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1160-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1160-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-102-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1964-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-94-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3864-93-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3864-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3888-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3888-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-85-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-83-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads