berbew | c8da14606955463bb339039365c38c9c1c9ab0a08824b255a89f0925f8f0d333

Analysis

max time kernel
101s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8da14606955463bb339039365c38c9c1c9ab0a08824b255a89f0925f8f0d333N.exe
Size

55KB
MD5

aac1933d5acae4ffe32749b30f7d6230
SHA1

dadd8b0c9b7678d0c19d68acbcb86aa80dd5f318
SHA256

c8da14606955463bb339039365c38c9c1c9ab0a08824b255a89f0925f8f0d333
SHA512

7ffdc76b50d8390833e7fb9bb5f0c8061f9687682e06712ebbc2cfdb946de9388e322b98f97eb70886a826fd0ff1d7f51fe4aeb20c735e6802ded9db0201c19c
SSDEEP

768:kYEei+rghd7VdhD0dij8pBmEvaJPYfcTS+8haWBrwB6C2p/1H5AJXdnh:S8m1wdigpBmEGicTl8fBrwBF2Ler

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c8da14606955463bb339039365c38c9c1c9ab0a08824b255a89f0925f8f0d333N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c8da14606955463bb339039365c38c9c1c9ab0a08824b255a89f0925f8f0d333N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 10 IoCs

pid	Process
4264	Dhkjej32.exe
2172	Dodbbdbb.exe
4804	Daconoae.exe
4760	Dhmgki32.exe
1188	Dogogcpo.exe
792	Daekdooc.exe
1880	Dddhpjof.exe
3048	Dgbdlf32.exe
3248	Doilmc32.exe
764	Dmllipeg.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	c8da14606955463bb339039365c38c9c1c9ab0a08824b255a89f0925f8f0d333N.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	c8da14606955463bb339039365c38c9c1c9ab0a08824b255a89f0925f8f0d333N.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	c8da14606955463bb339039365c38c9c1c9ab0a08824b255a89f0925f8f0d333N.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1944	764	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8da14606955463bb339039365c38c9c1c9ab0a08824b255a89f0925f8f0d333N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c8da14606955463bb339039365c38c9c1c9ab0a08824b255a89f0925f8f0d333N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c8da14606955463bb339039365c38c9c1c9ab0a08824b255a89f0925f8f0d333N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	c8da14606955463bb339039365c38c9c1c9ab0a08824b255a89f0925f8f0d333N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c8da14606955463bb339039365c38c9c1c9ab0a08824b255a89f0925f8f0d333N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c8da14606955463bb339039365c38c9c1c9ab0a08824b255a89f0925f8f0d333N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c8da14606955463bb339039365c38c9c1c9ab0a08824b255a89f0925f8f0d333N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 4264	4000	c8da14606955463bb339039365c38c9c1c9ab0a08824b255a89f0925f8f0d333N.exe	84
PID 4000 wrote to memory of 4264	4000	c8da14606955463bb339039365c38c9c1c9ab0a08824b255a89f0925f8f0d333N.exe	84
PID 4000 wrote to memory of 4264	4000	c8da14606955463bb339039365c38c9c1c9ab0a08824b255a89f0925f8f0d333N.exe	84
PID 4264 wrote to memory of 2172	4264	Dhkjej32.exe	85
PID 4264 wrote to memory of 2172	4264	Dhkjej32.exe	85
PID 4264 wrote to memory of 2172	4264	Dhkjej32.exe	85
PID 2172 wrote to memory of 4804	2172	Dodbbdbb.exe	86
PID 2172 wrote to memory of 4804	2172	Dodbbdbb.exe	86
PID 2172 wrote to memory of 4804	2172	Dodbbdbb.exe	86
PID 4804 wrote to memory of 4760	4804	Daconoae.exe	87
PID 4804 wrote to memory of 4760	4804	Daconoae.exe	87
PID 4804 wrote to memory of 4760	4804	Daconoae.exe	87
PID 4760 wrote to memory of 1188	4760	Dhmgki32.exe	88
PID 4760 wrote to memory of 1188	4760	Dhmgki32.exe	88
PID 4760 wrote to memory of 1188	4760	Dhmgki32.exe	88
PID 1188 wrote to memory of 792	1188	Dogogcpo.exe	89
PID 1188 wrote to memory of 792	1188	Dogogcpo.exe	89
PID 1188 wrote to memory of 792	1188	Dogogcpo.exe	89
PID 792 wrote to memory of 1880	792	Daekdooc.exe	90
PID 792 wrote to memory of 1880	792	Daekdooc.exe	90
PID 792 wrote to memory of 1880	792	Daekdooc.exe	90
PID 1880 wrote to memory of 3048	1880	Dddhpjof.exe	91
PID 1880 wrote to memory of 3048	1880	Dddhpjof.exe	91
PID 1880 wrote to memory of 3048	1880	Dddhpjof.exe	91
PID 3048 wrote to memory of 3248	3048	Dgbdlf32.exe	92
PID 3048 wrote to memory of 3248	3048	Dgbdlf32.exe	92
PID 3048 wrote to memory of 3248	3048	Dgbdlf32.exe	92
PID 3248 wrote to memory of 764	3248	Doilmc32.exe	93
PID 3248 wrote to memory of 764	3248	Doilmc32.exe	93
PID 3248 wrote to memory of 764	3248	Doilmc32.exe	93

C:\Users\Admin\AppData\Local\Temp\c8da14606955463bb339039365c38c9c1c9ab0a08824b255a89f0925f8f0d333N.exe
"C:\Users\Admin\AppData\Local\Temp\c8da14606955463bb339039365c38c9c1c9ab0a08824b255a89f0925f8f0d333N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\SysWOW64\Dhkjej32.exe
  C:\Windows\system32\Dhkjej32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\SysWOW64\Dodbbdbb.exe
    C:\Windows\system32\Dodbbdbb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\SysWOW64\Daconoae.exe
      C:\Windows\system32\Daconoae.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4804
    - - C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4760
      - C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 404
        12⤵
        Program crash
        
        PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 764 -ip 764
1⤵
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daconoae.exe

Filesize
55KB

MD5
a67f70cb7dcf28b42412f5a6477b23e3

SHA1
7b5ea12f68c42b679d505eeb14c7b788a207ec4b

SHA256
1c243a7d692ba5d3d86bdb31e2c5d91d8cf6dff6bea6f7a50ebb8fe06e5c7777

SHA512
7f4e8cb3aa863c01088a14f829de745183e1a9d428ca5427a928c90e471f9dbce9028413cba62b011bc3117b73c9af16830233053998bdb34093048d67fe54ca

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
55KB

MD5
bc77064e340e6eaf746747b660d1e21d

SHA1
6b467fd5d704e19516b0598c98a80ea2d6fa81e3

SHA256
2eef6a131e3d4d011708bac44129c7a8ebbeb7547aa99996087d2a6bcd657a1c

SHA512
c8b5dcb3b40f5efdf2768cf910ad4641e201f22500aa365c932541c311c121d431c021efccf9e7de07f3f6a7e9c2a7d8d0010367d75b3b7eb914887b7cf238ac

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
55KB

MD5
d5ff09265bbccb05b00193a7a2e376b1

SHA1
305aa36fd94d22612df6a2f366574898d75d3e1c

SHA256
a3f564dde15a49c8964986d155f29fd83f0fb996a845a86f9b86294c274acfc7

SHA512
cc90f2607a5fad4d6ce4fc913406e1363ec3aa3a0e1d9a4b95e9de8f9fdb30f2fac05044fb8300c2b5bdd50e1fe88d0d57066412f0485abe1f1cb3551e481835

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
55KB

MD5
ad4f0bdef7075c6d1c31dc979bdf2275

SHA1
f2af5cf95efabb57e8cdc9829e32c05bb3e6cb2d

SHA256
9263f23b8fd584ea365356420f9a4740eae3ce864fbf879f3507f5065c503250

SHA512
e71065065f7d04374b1fa2bae7c74a65a33a0622daa9f9bd61f8406bd2fd1172cc8ec6fd8237fa21b8f65f465087419bac3ae06f5483557662634f919b6cf730

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
55KB

MD5
85a344b6da7f7ae0bbce803683e0f1cf

SHA1
cb2313259f2d598abcbb054e1f049d191eae4446

SHA256
fb75f6c342973dc37b7e14f9a9910a7d12cb4f87cf40d4576d7a6d92d95f7995

SHA512
9adca7f2026180a225b66c6b77dd1a293657054b393b5c8672bc2a0d27ee4ab8a9f2896842601dedb7b05d35fb8b289ab5dcf69643eb0bf90e015584c4b3acee

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
55KB

MD5
4040fecff7d0ab6b45eb27ae360a6a0d

SHA1
2f428e73678587adcdd08319a13638b68caa5a77

SHA256
5e54989d31e8edea6e39ea2b6b6043751c6b57d08bf1f29ce123d82efb547c68

SHA512
6a1ab04f1a63ff2732f42194d688a8408235afa4d20c2a9641541063315bda82a705aad61f802b9b4feebd9f9aaa5a510bba61a01ea07947be0d8fcc63e3e97f

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
55KB

MD5
c0c96c3926367661a3760b358d2b85d9

SHA1
df0ca87a8690d0eda6f870923459494a9ca6b452

SHA256
a62fbf018688fe9e714c54c24d2ceeb905dfd4229ffc37d5663adc795c88ba93

SHA512
25418467b8b22f39ee6d0dfa1158e01c0c12878658d0e8a5715d58d75c376db8d3a980a9eeefd61e61c9c052d521be80452afcb3113791e5fa4d2ff6411045ed

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
55KB

MD5
81c7d2a86b65de4d85e22b1a0f2e4af3

SHA1
977c062c9a53ecae6197a1dfbcf3ec61a4977fc5

SHA256
8e9ee0562b9a1b6a18bd88dce59ef8812d09f5e6a12151805d682ec43e98d85d

SHA512
06ad52dab998fc9e3ead1874bcf731a652b50a8538c81fe5d63331af24f59efc5ad3f2101313cf72754dee9927127b16cf129c18029694835c8a7903c0c0416a

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
55KB

MD5
4eadddfb07d867e00256e0e7338a8517

SHA1
9788f48e2d41a024bfb535e93fc17d2d6c9d1df5

SHA256
202b140d14703d6de44b8709b14f4b228bfafeb72a90e2d13193ade30edd2977

SHA512
97ff840dfd2dafacf510551cb435afb65f95e30781ec713dce2f1f25df4496dd2cb31a67d5c9b0bfb9b384627817075ee4f644ec4457f4d02812bcb88ed6c6a7

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
55KB

MD5
0ece40d7c9d9c095a4232c2c0227d36a

SHA1
8919ac2f3deb26feac2706ed4c6d502e8e9ffe66

SHA256
68f3f235222d902433ff17fabd10035544c1e843feb7c236883e93f93f4bc247

SHA512
b75f65d5d695c3e527da03bb961b6dc1e9ef39f8ad3c51d6f47fbcf41270d0c35425d24c206b27023e9e689d793bc05e5704fdda568444e1243a04d6bff43c4b

Download Submit
memory/764-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/792-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/792-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-91-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4000-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4264-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4264-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads