Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 07:22
Static task
static1
Behavioral task
behavioral1
Sample
b0618045e70f2ec5d9ffcfc88253d5b62086e78fa4d73cf0e72fe217034cbdb8N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
b0618045e70f2ec5d9ffcfc88253d5b62086e78fa4d73cf0e72fe217034cbdb8N.exe
Resource
win10v2004-20241007-en
General
-
Target
b0618045e70f2ec5d9ffcfc88253d5b62086e78fa4d73cf0e72fe217034cbdb8N.exe
-
Size
72KB
-
MD5
a3e1f3f0e5aa0c08c0e8e59ad5da5d60
-
SHA1
74ab0b85c6d5b52e3883a778fd6d5ec4f3c7f736
-
SHA256
b0618045e70f2ec5d9ffcfc88253d5b62086e78fa4d73cf0e72fe217034cbdb8
-
SHA512
cee8bc1147f9e41f9afccea30a78ebf58e21781506dfb1437c24098a2bd194ed7475953f3edd9d8e778866633773adef7b5fb9a2fb336968b23895741c8cd8aa
-
SSDEEP
1536:DjFd83hB48a0Ogvt3GzzYCokDGPgUN3QivEtA:nFd8x5aYNLqDGPgU5QJA
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lghgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loclai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmpcca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcadghnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmpcca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpieengb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libjncnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lidgcclp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loclai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcadghnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lplbjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lghgmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llepen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loaokjjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llepen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" b0618045e70f2ec5d9ffcfc88253d5b62086e78fa4d73cf0e72fe217034cbdb8N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbhbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbhbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhlqjone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lidgcclp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loaokjjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhlqjone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpieengb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Libjncnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lplbjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad b0618045e70f2ec5d9ffcfc88253d5b62086e78fa4d73cf0e72fe217034cbdb8N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmkihbho.exe -
Berbew family
-
Executes dropped EXE 14 IoCs
pid Process 2692 Kmkihbho.exe 2652 Kpieengb.exe 2752 Kbhbai32.exe 2660 Libjncnc.exe 780 Lplbjm32.exe 2200 Lidgcclp.exe 2360 Lmpcca32.exe 2792 Loaokjjg.exe 2908 Lghgmg32.exe 2928 Llepen32.exe 2420 Loclai32.exe 704 Lhlqjone.exe 2128 Lcadghnk.exe 1936 Lepaccmo.exe -
Loads dropped DLL 32 IoCs
pid Process 2640 b0618045e70f2ec5d9ffcfc88253d5b62086e78fa4d73cf0e72fe217034cbdb8N.exe 2640 b0618045e70f2ec5d9ffcfc88253d5b62086e78fa4d73cf0e72fe217034cbdb8N.exe 2692 Kmkihbho.exe 2692 Kmkihbho.exe 2652 Kpieengb.exe 2652 Kpieengb.exe 2752 Kbhbai32.exe 2752 Kbhbai32.exe 2660 Libjncnc.exe 2660 Libjncnc.exe 780 Lplbjm32.exe 780 Lplbjm32.exe 2200 Lidgcclp.exe 2200 Lidgcclp.exe 2360 Lmpcca32.exe 2360 Lmpcca32.exe 2792 Loaokjjg.exe 2792 Loaokjjg.exe 2908 Lghgmg32.exe 2908 Lghgmg32.exe 2928 Llepen32.exe 2928 Llepen32.exe 2420 Loclai32.exe 2420 Loclai32.exe 704 Lhlqjone.exe 704 Lhlqjone.exe 2128 Lcadghnk.exe 2128 Lcadghnk.exe 2224 WerFault.exe 2224 WerFault.exe 2224 WerFault.exe 2224 WerFault.exe -
Drops file in System32 directory 42 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kbhbai32.exe Kpieengb.exe File opened for modification C:\Windows\SysWOW64\Lghgmg32.exe Loaokjjg.exe File created C:\Windows\SysWOW64\Agpqch32.dll Llepen32.exe File opened for modification C:\Windows\SysWOW64\Lepaccmo.exe Lcadghnk.exe File created C:\Windows\SysWOW64\Canhhi32.dll b0618045e70f2ec5d9ffcfc88253d5b62086e78fa4d73cf0e72fe217034cbdb8N.exe File created C:\Windows\SysWOW64\Kpieengb.exe Kmkihbho.exe File created C:\Windows\SysWOW64\Lghgmg32.exe Loaokjjg.exe File created C:\Windows\SysWOW64\Mcbniafn.dll Lghgmg32.exe File opened for modification C:\Windows\SysWOW64\Loclai32.exe Llepen32.exe File opened for modification C:\Windows\SysWOW64\Lhlqjone.exe Loclai32.exe File created C:\Windows\SysWOW64\Lepaccmo.exe Lcadghnk.exe File created C:\Windows\SysWOW64\Kmkihbho.exe b0618045e70f2ec5d9ffcfc88253d5b62086e78fa4d73cf0e72fe217034cbdb8N.exe File opened for modification C:\Windows\SysWOW64\Kmkihbho.exe b0618045e70f2ec5d9ffcfc88253d5b62086e78fa4d73cf0e72fe217034cbdb8N.exe File created C:\Windows\SysWOW64\Ogegmkqk.dll Loaokjjg.exe File opened for modification C:\Windows\SysWOW64\Llepen32.exe Lghgmg32.exe File created C:\Windows\SysWOW64\Lhlqjone.exe Loclai32.exe File opened for modification C:\Windows\SysWOW64\Lidgcclp.exe Lplbjm32.exe File created C:\Windows\SysWOW64\Loaokjjg.exe Lmpcca32.exe File created C:\Windows\SysWOW64\Lplbjm32.exe Libjncnc.exe File created C:\Windows\SysWOW64\Lmpcca32.exe Lidgcclp.exe File opened for modification C:\Windows\SysWOW64\Lmpcca32.exe Lidgcclp.exe File created C:\Windows\SysWOW64\Loclai32.exe Llepen32.exe File opened for modification C:\Windows\SysWOW64\Kpieengb.exe Kmkihbho.exe File created C:\Windows\SysWOW64\Libjncnc.exe Kbhbai32.exe File created C:\Windows\SysWOW64\Jingpl32.dll Lmpcca32.exe File created C:\Windows\SysWOW64\Onkckhkp.dll Loclai32.exe File opened for modification C:\Windows\SysWOW64\Lcadghnk.exe Lhlqjone.exe File created C:\Windows\SysWOW64\Oldhgaef.dll Lcadghnk.exe File created C:\Windows\SysWOW64\Pihbeaea.dll Kmkihbho.exe File created C:\Windows\SysWOW64\Dlcdel32.dll Libjncnc.exe File created C:\Windows\SysWOW64\Agpdah32.dll Lidgcclp.exe File created C:\Windows\SysWOW64\Bndneq32.dll Kpieengb.exe File created C:\Windows\SysWOW64\Dneoankp.dll Lplbjm32.exe File created C:\Windows\SysWOW64\Ipbkjl32.dll Kbhbai32.exe File opened for modification C:\Windows\SysWOW64\Loaokjjg.exe Lmpcca32.exe File created C:\Windows\SysWOW64\Fhdikdfj.dll Lhlqjone.exe File opened for modification C:\Windows\SysWOW64\Kbhbai32.exe Kpieengb.exe File opened for modification C:\Windows\SysWOW64\Libjncnc.exe Kbhbai32.exe File created C:\Windows\SysWOW64\Llepen32.exe Lghgmg32.exe File created C:\Windows\SysWOW64\Lcadghnk.exe Lhlqjone.exe File opened for modification C:\Windows\SysWOW64\Lplbjm32.exe Libjncnc.exe File created C:\Windows\SysWOW64\Lidgcclp.exe Lplbjm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2224 1936 WerFault.exe 43 -
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lghgmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loclai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loaokjjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepaccmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b0618045e70f2ec5d9ffcfc88253d5b62086e78fa4d73cf0e72fe217034cbdb8N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbhbai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmpcca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmkihbho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lidgcclp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhlqjone.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llepen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcadghnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpieengb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Libjncnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lplbjm32.exe -
Modifies registry class 45 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} b0618045e70f2ec5d9ffcfc88253d5b62086e78fa4d73cf0e72fe217034cbdb8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canhhi32.dll" b0618045e70f2ec5d9ffcfc88253d5b62086e78fa4d73cf0e72fe217034cbdb8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lidgcclp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llepen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lplbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lghgmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loclai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhdikdfj.dll" Lhlqjone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhlqjone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll" Lcadghnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node b0618045e70f2ec5d9ffcfc88253d5b62086e78fa4d73cf0e72fe217034cbdb8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID b0618045e70f2ec5d9ffcfc88253d5b62086e78fa4d73cf0e72fe217034cbdb8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbhbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loclai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" b0618045e70f2ec5d9ffcfc88253d5b62086e78fa4d73cf0e72fe217034cbdb8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbkjl32.dll" Kbhbai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Libjncnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lplbjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lghgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pihbeaea.dll" Kmkihbho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpieengb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dneoankp.dll" Lplbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jingpl32.dll" Lmpcca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llepen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkckhkp.dll" Loclai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbniafn.dll" Lghgmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 b0618045e70f2ec5d9ffcfc88253d5b62086e78fa4d73cf0e72fe217034cbdb8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpieengb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpdah32.dll" Lidgcclp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loaokjjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdel32.dll" Libjncnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lidgcclp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmpcca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogegmkqk.dll" Loaokjjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhlqjone.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcadghnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll" Kpieengb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbhbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Libjncnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmpcca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loaokjjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpqch32.dll" Llepen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcadghnk.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2640 wrote to memory of 2692 2640 b0618045e70f2ec5d9ffcfc88253d5b62086e78fa4d73cf0e72fe217034cbdb8N.exe 30 PID 2640 wrote to memory of 2692 2640 b0618045e70f2ec5d9ffcfc88253d5b62086e78fa4d73cf0e72fe217034cbdb8N.exe 30 PID 2640 wrote to memory of 2692 2640 b0618045e70f2ec5d9ffcfc88253d5b62086e78fa4d73cf0e72fe217034cbdb8N.exe 30 PID 2640 wrote to memory of 2692 2640 b0618045e70f2ec5d9ffcfc88253d5b62086e78fa4d73cf0e72fe217034cbdb8N.exe 30 PID 2692 wrote to memory of 2652 2692 Kmkihbho.exe 31 PID 2692 wrote to memory of 2652 2692 Kmkihbho.exe 31 PID 2692 wrote to memory of 2652 2692 Kmkihbho.exe 31 PID 2692 wrote to memory of 2652 2692 Kmkihbho.exe 31 PID 2652 wrote to memory of 2752 2652 Kpieengb.exe 32 PID 2652 wrote to memory of 2752 2652 Kpieengb.exe 32 PID 2652 wrote to memory of 2752 2652 Kpieengb.exe 32 PID 2652 wrote to memory of 2752 2652 Kpieengb.exe 32 PID 2752 wrote to memory of 2660 2752 Kbhbai32.exe 33 PID 2752 wrote to memory of 2660 2752 Kbhbai32.exe 33 PID 2752 wrote to memory of 2660 2752 Kbhbai32.exe 33 PID 2752 wrote to memory of 2660 2752 Kbhbai32.exe 33 PID 2660 wrote to memory of 780 2660 Libjncnc.exe 34 PID 2660 wrote to memory of 780 2660 Libjncnc.exe 34 PID 2660 wrote to memory of 780 2660 Libjncnc.exe 34 PID 2660 wrote to memory of 780 2660 Libjncnc.exe 34 PID 780 wrote to memory of 2200 780 Lplbjm32.exe 35 PID 780 wrote to memory of 2200 780 Lplbjm32.exe 35 PID 780 wrote to memory of 2200 780 Lplbjm32.exe 35 PID 780 wrote to memory of 2200 780 Lplbjm32.exe 35 PID 2200 wrote to memory of 2360 2200 Lidgcclp.exe 36 PID 2200 wrote to memory of 2360 2200 Lidgcclp.exe 36 PID 2200 wrote to memory of 2360 2200 Lidgcclp.exe 36 PID 2200 wrote to memory of 2360 2200 Lidgcclp.exe 36 PID 2360 wrote to memory of 2792 2360 Lmpcca32.exe 37 PID 2360 wrote to memory of 2792 2360 Lmpcca32.exe 37 PID 2360 wrote to memory of 2792 2360 Lmpcca32.exe 37 PID 2360 wrote to memory of 2792 2360 Lmpcca32.exe 37 PID 2792 wrote to memory of 2908 2792 Loaokjjg.exe 38 PID 2792 wrote to memory of 2908 2792 Loaokjjg.exe 38 PID 2792 wrote to memory of 2908 2792 Loaokjjg.exe 38 PID 2792 wrote to memory of 2908 2792 Loaokjjg.exe 38 PID 2908 wrote to memory of 2928 2908 Lghgmg32.exe 39 PID 2908 wrote to memory of 2928 2908 Lghgmg32.exe 39 PID 2908 wrote to memory of 2928 2908 Lghgmg32.exe 39 PID 2908 wrote to memory of 2928 2908 Lghgmg32.exe 39 PID 2928 wrote to memory of 2420 2928 Llepen32.exe 40 PID 2928 wrote to memory of 2420 2928 Llepen32.exe 40 PID 2928 wrote to memory of 2420 2928 Llepen32.exe 40 PID 2928 wrote to memory of 2420 2928 Llepen32.exe 40 PID 2420 wrote to memory of 704 2420 Loclai32.exe 41 PID 2420 wrote to memory of 704 2420 Loclai32.exe 41 PID 2420 wrote to memory of 704 2420 Loclai32.exe 41 PID 2420 wrote to memory of 704 2420 Loclai32.exe 41 PID 704 wrote to memory of 2128 704 Lhlqjone.exe 42 PID 704 wrote to memory of 2128 704 Lhlqjone.exe 42 PID 704 wrote to memory of 2128 704 Lhlqjone.exe 42 PID 704 wrote to memory of 2128 704 Lhlqjone.exe 42 PID 2128 wrote to memory of 1936 2128 Lcadghnk.exe 43 PID 2128 wrote to memory of 1936 2128 Lcadghnk.exe 43 PID 2128 wrote to memory of 1936 2128 Lcadghnk.exe 43 PID 2128 wrote to memory of 1936 2128 Lcadghnk.exe 43 PID 1936 wrote to memory of 2224 1936 Lepaccmo.exe 44 PID 1936 wrote to memory of 2224 1936 Lepaccmo.exe 44 PID 1936 wrote to memory of 2224 1936 Lepaccmo.exe 44 PID 1936 wrote to memory of 2224 1936 Lepaccmo.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0618045e70f2ec5d9ffcfc88253d5b62086e78fa4d73cf0e72fe217034cbdb8N.exe"C:\Users\Admin\AppData\Local\Temp\b0618045e70f2ec5d9ffcfc88253d5b62086e78fa4d73cf0e72fe217034cbdb8N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Kmkihbho.exeC:\Windows\system32\Kmkihbho.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Kpieengb.exeC:\Windows\system32\Kpieengb.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Kbhbai32.exeC:\Windows\system32\Kbhbai32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Libjncnc.exeC:\Windows\system32\Libjncnc.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Lplbjm32.exeC:\Windows\system32\Lplbjm32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\Lidgcclp.exeC:\Windows\system32\Lidgcclp.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Lmpcca32.exeC:\Windows\system32\Lmpcca32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Loaokjjg.exeC:\Windows\system32\Loaokjjg.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Lghgmg32.exeC:\Windows\system32\Lghgmg32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Llepen32.exeC:\Windows\system32\Llepen32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Loclai32.exeC:\Windows\system32\Loclai32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Lhlqjone.exeC:\Windows\system32\Lhlqjone.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\Lcadghnk.exeC:\Windows\system32\Lcadghnk.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Lepaccmo.exeC:\Windows\system32\Lepaccmo.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 14016⤵
- Loads dropped DLL
- Program crash
PID:2224
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD53f0e3a320804fd2774f35e14dd9e8455
SHA1cce1edcea9030573524b12629b9930e8dedeac6d
SHA256b001ed500d83bb9779475bd5c871b9fdb34f240e5a419c2f6ef5df29a466c3a5
SHA5120d859d2b92d04b72b6f0b20fe90cc5fe64e81c4f44c730e255fbcbfb8c26b8ad7ec71703e284ab5950b1e53dca60fd43ed47285edd4ab7d352c9c5d50d349c1e
-
Filesize
72KB
MD5b43f4af4d8c3fb0aca133c21fed46f29
SHA16fb53fcf10aee2d609ca256d92d16746f3175b95
SHA2566af2f4482430a6f22503a1b9a353018220aaf2d03400652aac18835b9e9d3026
SHA5122d76f6c4598e4467ce0d1614d3643248830594b988e69fccf26c63bdb7b78597d1cd718283804715f12075568089d3b7646739e0a42e70186a4a1f112da55bfb
-
Filesize
72KB
MD5187dae4ed8cade13ec94fe3731b221df
SHA11adcccfe060b18c4a4af9b50b9b111b8beb0dcdf
SHA2560f8d021304e8bdf76f3de36338325557f51e0801d18ad33ea258ccf76172996f
SHA512dde66411031bb317428f17c1db4fa345d728129f07d5e60ae5a2219a3134e76cbb538d76ac1102720ec0e6158058687a27c0060def5a835c4102d14a05d8318b
-
Filesize
72KB
MD5f54ffffc84c53a20bd7067a0b8afe751
SHA13c615f1c35886dc9b674734595a55074da6eb3e2
SHA2560c6700d74423d1ba6857d5ec881f3c5a4beda18794167020260e8192556f0058
SHA51203d13e88c65fb3883871a225e44ab2d9ff70e5cad2d7b68bf0560f9a681f1c111ef29112fc730a1abb219b83c64932760987f584fec7caefb4ae7dc6c42d22ea
-
Filesize
72KB
MD550b54bfbd39680e420eb74252cc1b92f
SHA15cccac9c49f9bb6dda7daa1f6b7330c40e50f215
SHA256b2091eb3b499686fabac0d1516b0ebb00e003021664e8878a7268f6e2b4f77d0
SHA5128784f5e6cbaa79256a3dfad4139fd6a77ada917b8d04cfc7d087a7cac5799f101b10d034379601cc4f2c61db72946f9956aaa34cb3cad84d60cfe02101e1125c
-
Filesize
72KB
MD57f32d6ba22837308f913d2da75e27de8
SHA136bc4d2879fc4173a85ea9ff56bb7ee5a11e7c1c
SHA25628245900e144534e4678a575864f922d30274c0c197be1a8c2e62ad7994a87e6
SHA51224ae73c433690d22460c4e4d545d98b8facaded58dc3682599f8ef9312345dc44e3442ab207535b32b106bd374aff8ba63a4b03142e55bf4008b5c83f4ec290f
-
Filesize
72KB
MD58ba59f1ed6bf9c34d3a1af3639dfefce
SHA1f00f80323d97378b9919de1f92055c7a58300331
SHA256d8a029f9c38f9c927bdc263fcd05221bc1338d182f42fa19e3b08b8d32fe831c
SHA5128649ad1fbfe58a8155d0bec4774f464abe89a03fb5216ed44d8a0778188d79188562832bed4cf860ccb7fb50e34ae2faa06e87627f1b6dcc5d3190733445a48c
-
Filesize
72KB
MD548d1adfd761f7d2692c3821a408cbb50
SHA19299c89ab2e0786d9e399417dd9928e645854569
SHA256aeff7f348f1087932f37ef5327467d96ec3efdcc354927dfe84f4acbad3dd6c3
SHA5124d8e2bcff3b4ecf947d6dbeeb081872e48f293b99afa462ee8ece52c4b0ed637d79967d887a9dd2e3557db76fe656502c950f65033b91d68dd9df6e5f6294cba
-
Filesize
72KB
MD58ac05e4abfdcc274be25ce4a4cc03f1e
SHA1e32ab2054cc5f337f32a7a6e1a0450ca5107d7ad
SHA2568f281cb17c0dc40b4f6aa3b643836969c01ff3eb6f0fc3ccac89d31e34f922a0
SHA5129217b12bdf63f738397436d35962187aee4204c95d360a74759fe9c4c91d5b623f760cea748d48221625969b97facde99c8970174d4c132054a58e4c09c29183
-
Filesize
72KB
MD5a210c729ddf1f4fc90bd7d8ba1738d3a
SHA17753ad1693b03e3a60c85357552e65e08eed6801
SHA256ea85c1120bcb744d4251c63ed1d3e3090e3a1e2f02f8ed75311bea0c9b950be6
SHA512f69e4f04ed914d625e52edbb1016be083c7e118dbdc09eabcb6ad080463dda90b5f7e3a97213ed13227c370b83d4cc516c5ab865aed8536c5eaf965acb1b0743
-
Filesize
72KB
MD57baddc55110c519e0896947cf5092799
SHA1189bf8d0c7697664f7e262edd601e659373931eb
SHA25660d51000227fa58528ab764bf58c3852daa664a4294f95bde18f8da5e7ebf3c0
SHA512883506c299fa7026375ac722af8c9fa7b35e2fbc51f358591c3d53d92b930809d5a66e7fc24bb851af1250732a4eebb32c3b1c4cabbd3baecbd7fceb315e41dc
-
Filesize
72KB
MD5699f7e2e8ceeab923be2a2f120174e89
SHA1d64804014aa0a612f262c644419346478da969c9
SHA25635c92d513db9e7a61db2ab3054b68fd0d4109eb8422bb197caf6dff8c620a1a4
SHA512f2d996cd878ef6725400b99f80c833837c2306907813a0cf23070ffae89311d40806776bdb43faed83ef26ad682fab6a7f946c2275c440ba8cf6edfb5b784b26
-
Filesize
72KB
MD5e49b1e1ae760ae0168e6a675bd8b797a
SHA1526f09d346cb79a429d75328fb6604523cef0169
SHA256e4a62677ff1a0bdb49bd28e6078310432da4cdea2fd133fdce681c8ea70b3cff
SHA512d74cd9e9b57e9649ace8006ae01a8345379254c98d153ce9f9ae2a1c70e9c56feceeedabb0b99e7e9a81f35648c0bc54863860499d1b21b5d8614ef567ae3ab0
-
Filesize
72KB
MD5e44651d47ac7f01770f880a3eb250e3f
SHA11f1d5d48b97e027ca38353cd0c7395b5fa71af7c
SHA256279b03419b0b609d8637fc841d924fc14757f4ea39663c13df0949f6b2f0577b
SHA51295112f90d1127f5347ba8e1db9463ad288a14549cee2bf9beb92a2e5e6d95aa04aa298435a2c5f0d7c87a936684a013772fff9fd513426eac479565b0b8bd953