Analysis
-
max time kernel
14s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 07:34
Static task
static1
Behavioral task
behavioral1
Sample
321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1dN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1dN.exe
Resource
win10v2004-20241007-en
General
-
Target
321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1dN.exe
-
Size
112KB
-
MD5
2d20707d0a0b48ea004047a9595b5f20
-
SHA1
150d19d69e840ec87a50675edc18905c109e9151
-
SHA256
321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1d
-
SHA512
89687349ff899d64702222e8ef46377d295e8a80b7f450be0f089e4921d71cfd3717960aa89dd845d9b13574c311e5fe9a2751f420e00feb07701dcd6e4215aa
-
SSDEEP
3072:ji2remjbqU6pZ2IyZ3QNSLthr1RhAo+ie0TZ:jNr6DkLthr1R6xie8Z
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkplgoop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjeihl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aodnfbpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeccdila.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aehmoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1dN.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paekijkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paekijkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ablmilgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agdlfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ablmilgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1dN.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjeihl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ankhmncb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodnfbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amhopfof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aehmoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amhopfof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeccdila.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankhmncb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agdlfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkplgoop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgiibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgiibp32.exe -
Berbew family
-
Executes dropped EXE 12 IoCs
pid Process 2480 Paekijkb.exe 2972 Pkplgoop.exe 2948 Qjeihl32.exe 3020 Qgiibp32.exe 2924 Aodnfbpm.exe 640 Amhopfof.exe 2724 Aeccdila.exe 2412 Ankhmncb.exe 3016 Agdlfd32.exe 2800 Aehmoh32.exe 2568 Ablmilgf.exe 1248 Bmenijcd.exe -
Loads dropped DLL 28 IoCs
pid Process 576 321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1dN.exe 576 321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1dN.exe 2480 Paekijkb.exe 2480 Paekijkb.exe 2972 Pkplgoop.exe 2972 Pkplgoop.exe 2948 Qjeihl32.exe 2948 Qjeihl32.exe 3020 Qgiibp32.exe 3020 Qgiibp32.exe 2924 Aodnfbpm.exe 2924 Aodnfbpm.exe 640 Amhopfof.exe 640 Amhopfof.exe 2724 Aeccdila.exe 2724 Aeccdila.exe 2412 Ankhmncb.exe 2412 Ankhmncb.exe 3016 Agdlfd32.exe 3016 Agdlfd32.exe 2800 Aehmoh32.exe 2800 Aehmoh32.exe 2568 Ablmilgf.exe 2568 Ablmilgf.exe 2472 WerFault.exe 2472 WerFault.exe 2472 WerFault.exe 2472 WerFault.exe -
Drops file in System32 directory 36 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pkplgoop.exe Paekijkb.exe File created C:\Windows\SysWOW64\Mlfibh32.dll Qgiibp32.exe File created C:\Windows\SysWOW64\Amhopfof.exe Aodnfbpm.exe File created C:\Windows\SysWOW64\Aeccdila.exe Amhopfof.exe File opened for modification C:\Windows\SysWOW64\Aeccdila.exe Amhopfof.exe File opened for modification C:\Windows\SysWOW64\Bmenijcd.exe Ablmilgf.exe File created C:\Windows\SysWOW64\Paekijkb.exe 321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1dN.exe File created C:\Windows\SysWOW64\Qjeihl32.exe Pkplgoop.exe File opened for modification C:\Windows\SysWOW64\Qjeihl32.exe Pkplgoop.exe File opened for modification C:\Windows\SysWOW64\Agdlfd32.exe Ankhmncb.exe File created C:\Windows\SysWOW64\Bmenijcd.exe Ablmilgf.exe File opened for modification C:\Windows\SysWOW64\Paekijkb.exe 321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1dN.exe File created C:\Windows\SysWOW64\Qgiibp32.exe Qjeihl32.exe File opened for modification C:\Windows\SysWOW64\Qgiibp32.exe Qjeihl32.exe File created C:\Windows\SysWOW64\Iindag32.dll Qjeihl32.exe File opened for modification C:\Windows\SysWOW64\Ablmilgf.exe Aehmoh32.exe File created C:\Windows\SysWOW64\Pkplgoop.exe Paekijkb.exe File created C:\Windows\SysWOW64\Maneecda.dll Paekijkb.exe File created C:\Windows\SysWOW64\Hncklnkp.dll Pkplgoop.exe File opened for modification C:\Windows\SysWOW64\Ankhmncb.exe Aeccdila.exe File created C:\Windows\SysWOW64\Agdlfd32.exe Ankhmncb.exe File created C:\Windows\SysWOW64\Iibjbgbg.dll Aehmoh32.exe File opened for modification C:\Windows\SysWOW64\Aodnfbpm.exe Qgiibp32.exe File opened for modification C:\Windows\SysWOW64\Amhopfof.exe Aodnfbpm.exe File opened for modification C:\Windows\SysWOW64\Aehmoh32.exe Agdlfd32.exe File created C:\Windows\SysWOW64\Mikelp32.dll Aodnfbpm.exe File created C:\Windows\SysWOW64\Khilfg32.dll Amhopfof.exe File created C:\Windows\SysWOW64\Ankhmncb.exe Aeccdila.exe File created C:\Windows\SysWOW64\Bjaoaabb.dll 321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1dN.exe File created C:\Windows\SysWOW64\Jichkb32.dll Ankhmncb.exe File created C:\Windows\SysWOW64\Aehmoh32.exe Agdlfd32.exe File created C:\Windows\SysWOW64\Jgelak32.dll Agdlfd32.exe File created C:\Windows\SysWOW64\Diflambo.dll Ablmilgf.exe File created C:\Windows\SysWOW64\Aodnfbpm.exe Qgiibp32.exe File created C:\Windows\SysWOW64\Jgcfpd32.dll Aeccdila.exe File created C:\Windows\SysWOW64\Ablmilgf.exe Aehmoh32.exe -
Program crash 1 IoCs
pid pid_target Process 2472 1248 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjeihl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhopfof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agdlfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmenijcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aehmoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paekijkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkplgoop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgiibp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodnfbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeccdila.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ankhmncb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ablmilgf.exe -
Modifies registry class 39 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1dN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ankhmncb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aehmoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amhopfof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ablmilgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maneecda.dll" Paekijkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkplgoop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qjeihl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qgiibp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1dN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1dN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amhopfof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgelak32.dll" Agdlfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hncklnkp.dll" Pkplgoop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aeccdila.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ankhmncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mikelp32.dll" Aodnfbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aodnfbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jichkb32.dll" Ankhmncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iibjbgbg.dll" Aehmoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1dN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjaoaabb.dll" 321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1dN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Paekijkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qjeihl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aehmoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agdlfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ablmilgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Paekijkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qgiibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khilfg32.dll" Amhopfof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agdlfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkplgoop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlfibh32.dll" Qgiibp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aodnfbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgcfpd32.dll" Aeccdila.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1dN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iindag32.dll" Qjeihl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aeccdila.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diflambo.dll" Ablmilgf.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 576 wrote to memory of 2480 576 321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1dN.exe 30 PID 576 wrote to memory of 2480 576 321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1dN.exe 30 PID 576 wrote to memory of 2480 576 321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1dN.exe 30 PID 576 wrote to memory of 2480 576 321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1dN.exe 30 PID 2480 wrote to memory of 2972 2480 Paekijkb.exe 31 PID 2480 wrote to memory of 2972 2480 Paekijkb.exe 31 PID 2480 wrote to memory of 2972 2480 Paekijkb.exe 31 PID 2480 wrote to memory of 2972 2480 Paekijkb.exe 31 PID 2972 wrote to memory of 2948 2972 Pkplgoop.exe 32 PID 2972 wrote to memory of 2948 2972 Pkplgoop.exe 32 PID 2972 wrote to memory of 2948 2972 Pkplgoop.exe 32 PID 2972 wrote to memory of 2948 2972 Pkplgoop.exe 32 PID 2948 wrote to memory of 3020 2948 Qjeihl32.exe 33 PID 2948 wrote to memory of 3020 2948 Qjeihl32.exe 33 PID 2948 wrote to memory of 3020 2948 Qjeihl32.exe 33 PID 2948 wrote to memory of 3020 2948 Qjeihl32.exe 33 PID 3020 wrote to memory of 2924 3020 Qgiibp32.exe 34 PID 3020 wrote to memory of 2924 3020 Qgiibp32.exe 34 PID 3020 wrote to memory of 2924 3020 Qgiibp32.exe 34 PID 3020 wrote to memory of 2924 3020 Qgiibp32.exe 34 PID 2924 wrote to memory of 640 2924 Aodnfbpm.exe 35 PID 2924 wrote to memory of 640 2924 Aodnfbpm.exe 35 PID 2924 wrote to memory of 640 2924 Aodnfbpm.exe 35 PID 2924 wrote to memory of 640 2924 Aodnfbpm.exe 35 PID 640 wrote to memory of 2724 640 Amhopfof.exe 36 PID 640 wrote to memory of 2724 640 Amhopfof.exe 36 PID 640 wrote to memory of 2724 640 Amhopfof.exe 36 PID 640 wrote to memory of 2724 640 Amhopfof.exe 36 PID 2724 wrote to memory of 2412 2724 Aeccdila.exe 37 PID 2724 wrote to memory of 2412 2724 Aeccdila.exe 37 PID 2724 wrote to memory of 2412 2724 Aeccdila.exe 37 PID 2724 wrote to memory of 2412 2724 Aeccdila.exe 37 PID 2412 wrote to memory of 3016 2412 Ankhmncb.exe 38 PID 2412 wrote to memory of 3016 2412 Ankhmncb.exe 38 PID 2412 wrote to memory of 3016 2412 Ankhmncb.exe 38 PID 2412 wrote to memory of 3016 2412 Ankhmncb.exe 38 PID 3016 wrote to memory of 2800 3016 Agdlfd32.exe 39 PID 3016 wrote to memory of 2800 3016 Agdlfd32.exe 39 PID 3016 wrote to memory of 2800 3016 Agdlfd32.exe 39 PID 3016 wrote to memory of 2800 3016 Agdlfd32.exe 39 PID 2800 wrote to memory of 2568 2800 Aehmoh32.exe 40 PID 2800 wrote to memory of 2568 2800 Aehmoh32.exe 40 PID 2800 wrote to memory of 2568 2800 Aehmoh32.exe 40 PID 2800 wrote to memory of 2568 2800 Aehmoh32.exe 40 PID 2568 wrote to memory of 1248 2568 Ablmilgf.exe 41 PID 2568 wrote to memory of 1248 2568 Ablmilgf.exe 41 PID 2568 wrote to memory of 1248 2568 Ablmilgf.exe 41 PID 2568 wrote to memory of 1248 2568 Ablmilgf.exe 41 PID 1248 wrote to memory of 2472 1248 Bmenijcd.exe 42 PID 1248 wrote to memory of 2472 1248 Bmenijcd.exe 42 PID 1248 wrote to memory of 2472 1248 Bmenijcd.exe 42 PID 1248 wrote to memory of 2472 1248 Bmenijcd.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1dN.exe"C:\Users\Admin\AppData\Local\Temp\321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1dN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Paekijkb.exeC:\Windows\system32\Paekijkb.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Pkplgoop.exeC:\Windows\system32\Pkplgoop.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Qjeihl32.exeC:\Windows\system32\Qjeihl32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Qgiibp32.exeC:\Windows\system32\Qgiibp32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Aodnfbpm.exeC:\Windows\system32\Aodnfbpm.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Amhopfof.exeC:\Windows\system32\Amhopfof.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Aeccdila.exeC:\Windows\system32\Aeccdila.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Ankhmncb.exeC:\Windows\system32\Ankhmncb.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Agdlfd32.exeC:\Windows\system32\Agdlfd32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Aehmoh32.exeC:\Windows\system32\Aehmoh32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Ablmilgf.exeC:\Windows\system32\Ablmilgf.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Bmenijcd.exeC:\Windows\system32\Bmenijcd.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 14014⤵
- Loads dropped DLL
- Program crash
PID:2472
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD585ed82b88c06a1545eb13b787352029c
SHA1729271d1b81ebbba9dd8e400efbe94d72d142800
SHA2565357d743efae8a50990639f0a5942e22eaf415ef336958cc4c2b80b63f03321d
SHA51285d748d504e5b46cb3f261bc38a29a1d881bc04971a17eebc2d50d9196be5951529ce24e57e615ff12373530dea9e0638c359983bfd3c2edb78272106310dda2
-
Filesize
112KB
MD593e9ff773b5773388d4d289dfdcb2a59
SHA152ba888be80e77ffdce456854a831a96bd6dccc9
SHA2569e39c77f16c5cd79eac2f53a0c1ab368d345b941dc85500fc4ad4c420fac49ff
SHA5128266bb50e8155ec84c05392d54fb1e09564cdfaea7d38e9a574d891ea4e5f1be406b452cb4d1818db53ffaacb4ec326e5ac01eb734f4e5b800c192687d0ecf82
-
Filesize
112KB
MD571dff91c09f364fb8ccf55178277833f
SHA120420b073dadcd6d7d2edd30b099eab7d1ef7ba1
SHA256d8a04b7a0fc818a55cf41baa94150ea6358d2d7c9c185e9304e386f90ff08fd6
SHA512000aa4f36c5b9fbcb346026aa53837089db4eeec95b2f89ad9cb62f90fc18e35dbb3f5b18974b047c2917b9d70b87927bda8f189efd067699076b21feb81bc49
-
Filesize
112KB
MD5b3d8e953c1047c3eaf30dcf628698898
SHA18197a6240ab1c86fa12c31789607240c7d264768
SHA256022d119009c67643e9813dc4622d34586a519e903c18958030134d271f6b65f0
SHA512e46759baf15664204938959fd2932427108e87a809328c168c9e340e42de62c7df9a2c92d2f62ab9369ae1fb4c55aad37633e05cc703352aaf11766c78856596
-
Filesize
112KB
MD5dd13d2f359b133b57a07668bfee34555
SHA130366e169fbac4a62b931fb51dedca0fcc5f0741
SHA256189239ae4d4d98a4a15008c098ea628e262e7b930bef2b3aace8b5838b0dbd23
SHA51249bbfcf04605e37adb755e2b718f78c4d8d16c35e66c3c0a8e8e9c4a79e8d75845c4357f9d7e6420568e9baa818486466829ac9c593fa820d062c53f73a4ba03
-
Filesize
112KB
MD56e248107c53cd75aecd211d545afc9bc
SHA1ae86bc53194540631889061fecfa6ef9937292bb
SHA25627d574ddacc104c9166d4d6cbc9d12e37ac98f96c691845c28d4ea8e02cb5a96
SHA512a37fa09658b76ce1562aa378ef4d7ce1a031c65a71ac6fe8f20cd00721b973347b33e382fab6ab97092cac79fcc3f7aca556452894a154a8bda4cab4072c694a
-
Filesize
7KB
MD5b8cb151acedfdfad1caca3f5c330f0e0
SHA11d80ae1f32e8052ac58e02cafef4d470cabf7548
SHA256372823a88ca89cf1415b71aa0b5337edf01978855b86041eaa031dd8acf54610
SHA5123ebfb87c70cb587f46585cd296a72f5a086b20c4932a0f929b11ff38c25bf8f3ae097ae2362ce253076354908b161a36bcf6862dace8748336c0fae87152865c
-
Filesize
112KB
MD508e4d8fdd6f262ffaedb7848d1125733
SHA16c64765bc06dc999a37171402578bf063841409c
SHA256df24a0b7038a34f0d5c91c16281174cf1ec4b2c885f996a9ca79ed22fa78a955
SHA51246b6468001a955c9c8f3dffd90268e83fcd31c5f24818c802f8fe03e90c691c0ffd6d1d3ab85ad2b59ecc9fa597147c37484b14ed5978b7f00acc6fc974708e9
-
Filesize
112KB
MD5d89f3311a00dc3fbccc3abe3953d182a
SHA18f5798ea413ad4605d4507842942f747e6d8cc18
SHA256289cddc03574726ab36e4ecd1a4337bfbb14f30a554a7f1ade887e788e413a61
SHA512b6163f8bdf441635d85b51a02fe47f9e982fc9809c59532810e3fd202d5b0cf6b7095f8487059bde2ee31a96a1a283d6b77879a6b835eb17b0e4296bbb5e7f60
-
Filesize
112KB
MD552c7bfc27d9b77176980dbd1262b06b1
SHA1104b6d747254128d86805decf82132871a5716b7
SHA2563424ba3b399e2ec1455ca06cb287f6d719a2a831d4859fbabad46dd253c547e7
SHA512c45a3ab244bf06208accd5ae87fc7b1ad6275277b59aa1c3b983eb0e804c2a36bc80d40313519507dfe17f83efeb58dbc9609ee3167f0389806167d1c528977f
-
Filesize
112KB
MD5ca825b6259f51b62b6321053e686892d
SHA1facba291745c562eceb0b953ccb06e279b88f029
SHA256c4c2e1990547aed2ff6073eee2b08c9f8dfbb320e108fb254dc26e4ee403947d
SHA5121cba7eefc940a8071ea55a2a34f42eacbf83534e04892a3df4f98c011c2b1961db42eb996838870f236bc66c8d3a4606374db9514b5a141e0ee736ff9f7b3a08
-
Filesize
112KB
MD5d10c0b3a2101719f91df96ab55ce42aa
SHA18d68567d2dd4bac928528472ade5de0634248b6b
SHA256fbbb68b698479c54eb6eaaf18981b0c8a3eee5c7d2cb110da0dc7354349812e6
SHA5124cc889d9dec127bb2016773b69b464f9f9e11a99646b63f65050d3127e0c15136d0cc0a3c6363c959595e47e6eb812fcf3405e04c9a10b077fe499816a1a84d9
-
Filesize
112KB
MD5775708c1e8e9b5a6cec149515a5386f1
SHA1fceadf6ea77dcfb1375445f6f1e3297e6ea65544
SHA256c72dc85409d27746a0a86262b65f292133e08f193a04fd5b0e9b73d1a303b8b0
SHA5125ab3bb62edffa4e8d3c2ed50f17208901e4d2729770e1df5bc12f537d23b68a077115bafb9616f0ce4538efba5fad90ba180006ca1b3a74e21943a842c3cf73f