berbew | aaaba6ed563f2d23e7a33e0c834f88dddb2b341bf8f27d8f471942ce2822841d

Analysis

max time kernel
24s
max time network
16s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaaba6ed563f2d23e7a33e0c834f88dddb2b341bf8f27d8f471942ce2822841dN.exe
Size

96KB
MD5

f256d9a62d1b0f2000d6867928f5b6c0
SHA1

510cef302c5cd759309ca736963e92eb54553af2
SHA256

aaaba6ed563f2d23e7a33e0c834f88dddb2b341bf8f27d8f471942ce2822841d
SHA512

a53ec083c77294162575d4a7d2a169c1aa3d242b76317021cc3a241d1fefd708c7ba91411f089174b7a9eda46836ead44e5ff4cd5bcbd6ee672d2920fa2f3896
SSDEEP

1536:mrLQIwJoYpkX35NZVxAEMAPLIVdyKMVz2Lp7RZObZUUWaegPYA:mvCvpknPqAPLYdyKMVQpClUUWae

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	aaaba6ed563f2d23e7a33e0c834f88dddb2b341bf8f27d8f471942ce2822841dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	aaaba6ed563f2d23e7a33e0c834f88dddb2b341bf8f27d8f471942ce2822841dN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apdhjq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfpnmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apdhjq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhideol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmeimhdj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 12 IoCs

pid	Process
2820	Apdhjq32.exe
1576	Bmhideol.exe
2724	Bfpnmj32.exe
2192	Bphbeplm.exe
768	Biafnecn.exe
808	Bbikgk32.exe
2872	Bhfcpb32.exe
2200	Bmclhi32.exe
2020	Bhhpeafc.exe
1096	Bmeimhdj.exe
1960	Chkmkacq.exe
860	Cacacg32.exe

Loads dropped DLL 28 IoCs

pid	Process
2928	aaaba6ed563f2d23e7a33e0c834f88dddb2b341bf8f27d8f471942ce2822841dN.exe
2928	aaaba6ed563f2d23e7a33e0c834f88dddb2b341bf8f27d8f471942ce2822841dN.exe
2820	Apdhjq32.exe
2820	Apdhjq32.exe
1576	Bmhideol.exe
1576	Bmhideol.exe
2724	Bfpnmj32.exe
2724	Bfpnmj32.exe
2192	Bphbeplm.exe
2192	Bphbeplm.exe
768	Biafnecn.exe
768	Biafnecn.exe
808	Bbikgk32.exe
808	Bbikgk32.exe
2872	Bhfcpb32.exe
2872	Bhfcpb32.exe
2200	Bmclhi32.exe
2200	Bmclhi32.exe
2020	Bhhpeafc.exe
2020	Bhhpeafc.exe
1096	Bmeimhdj.exe
1096	Bmeimhdj.exe
1960	Chkmkacq.exe
1960	Chkmkacq.exe
1816	WerFault.exe
1816	WerFault.exe
1816	WerFault.exe
1816	WerFault.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Biafnecn.exe
File created	C:\Windows\SysWOW64\Mlcpdacl.dll	Bbikgk32.exe
File opened for modification	C:\Windows\SysWOW64\Bmclhi32.exe	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Kgfkcnlb.dll	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Apdhjq32.exe	aaaba6ed563f2d23e7a33e0c834f88dddb2b341bf8f27d8f471942ce2822841dN.exe
File opened for modification	C:\Windows\SysWOW64\Biafnecn.exe	Bphbeplm.exe
File created	C:\Windows\SysWOW64\Bhhpeafc.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Jodjlm32.dll	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Chkmkacq.exe	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Chkmkacq.exe	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Apdhjq32.exe	aaaba6ed563f2d23e7a33e0c834f88dddb2b341bf8f27d8f471942ce2822841dN.exe
File created	C:\Windows\SysWOW64\Bfpnmj32.exe	Bmhideol.exe
File created	C:\Windows\SysWOW64\Ldhfglad.dll	Bfpnmj32.exe
File created	C:\Windows\SysWOW64\Deokbacp.dll	Bphbeplm.exe
File created	C:\Windows\SysWOW64\Bmclhi32.exe	Bhfcpb32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Chkmkacq.exe
File opened for modification	C:\Windows\SysWOW64\Bmhideol.exe	Apdhjq32.exe
File created	C:\Windows\SysWOW64\Lmpanl32.dll	Apdhjq32.exe
File created	C:\Windows\SysWOW64\Biafnecn.exe	Bphbeplm.exe
File opened for modification	C:\Windows\SysWOW64\Bbikgk32.exe	Biafnecn.exe
File created	C:\Windows\SysWOW64\Oimbjlde.dll	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Njelgo32.dll	aaaba6ed563f2d23e7a33e0c834f88dddb2b341bf8f27d8f471942ce2822841dN.exe
File opened for modification	C:\Windows\SysWOW64\Bhfcpb32.exe	Bbikgk32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhpeafc.exe	Bmclhi32.exe
File opened for modification	C:\Windows\SysWOW64\Bphbeplm.exe	Bfpnmj32.exe
File created	C:\Windows\SysWOW64\Opacnnhp.dll	Bhfcpb32.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Bmhideol.exe	Apdhjq32.exe
File created	C:\Windows\SysWOW64\Jhgkeald.dll	Bmhideol.exe
File created	C:\Windows\SysWOW64\Bphbeplm.exe	Bfpnmj32.exe
File created	C:\Windows\SysWOW64\Bhfcpb32.exe	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Chkmkacq.exe
File opened for modification	C:\Windows\SysWOW64\Bfpnmj32.exe	Bmhideol.exe
File created	C:\Windows\SysWOW64\Abacpl32.dll	Biafnecn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1816	860	WerFault.exe	41

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apdhjq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhideol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfpnmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmclhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhpeafc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaaba6ed563f2d23e7a33e0c834f88dddb2b341bf8f27d8f471942ce2822841dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphbeplm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgkeald.dll"	Bmhideol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	aaaba6ed563f2d23e7a33e0c834f88dddb2b341bf8f27d8f471942ce2822841dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	aaaba6ed563f2d23e7a33e0c834f88dddb2b341bf8f27d8f471942ce2822841dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpanl32.dll"	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodjlm32.dll"	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfkcnlb.dll"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deokbacp.dll"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfpnmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	aaaba6ed563f2d23e7a33e0c834f88dddb2b341bf8f27d8f471942ce2822841dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	aaaba6ed563f2d23e7a33e0c834f88dddb2b341bf8f27d8f471942ce2822841dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhfglad.dll"	Bfpnmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abacpl32.dll"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll"	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	aaaba6ed563f2d23e7a33e0c834f88dddb2b341bf8f27d8f471942ce2822841dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njelgo32.dll"	aaaba6ed563f2d23e7a33e0c834f88dddb2b341bf8f27d8f471942ce2822841dN.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2820	2928	aaaba6ed563f2d23e7a33e0c834f88dddb2b341bf8f27d8f471942ce2822841dN.exe	30
PID 2928 wrote to memory of 2820	2928	aaaba6ed563f2d23e7a33e0c834f88dddb2b341bf8f27d8f471942ce2822841dN.exe	30
PID 2928 wrote to memory of 2820	2928	aaaba6ed563f2d23e7a33e0c834f88dddb2b341bf8f27d8f471942ce2822841dN.exe	30
PID 2928 wrote to memory of 2820	2928	aaaba6ed563f2d23e7a33e0c834f88dddb2b341bf8f27d8f471942ce2822841dN.exe	30
PID 2820 wrote to memory of 1576	2820	Apdhjq32.exe	31
PID 2820 wrote to memory of 1576	2820	Apdhjq32.exe	31
PID 2820 wrote to memory of 1576	2820	Apdhjq32.exe	31
PID 2820 wrote to memory of 1576	2820	Apdhjq32.exe	31
PID 1576 wrote to memory of 2724	1576	Bmhideol.exe	32
PID 1576 wrote to memory of 2724	1576	Bmhideol.exe	32
PID 1576 wrote to memory of 2724	1576	Bmhideol.exe	32
PID 1576 wrote to memory of 2724	1576	Bmhideol.exe	32
PID 2724 wrote to memory of 2192	2724	Bfpnmj32.exe	33
PID 2724 wrote to memory of 2192	2724	Bfpnmj32.exe	33
PID 2724 wrote to memory of 2192	2724	Bfpnmj32.exe	33
PID 2724 wrote to memory of 2192	2724	Bfpnmj32.exe	33
PID 2192 wrote to memory of 768	2192	Bphbeplm.exe	34
PID 2192 wrote to memory of 768	2192	Bphbeplm.exe	34
PID 2192 wrote to memory of 768	2192	Bphbeplm.exe	34
PID 2192 wrote to memory of 768	2192	Bphbeplm.exe	34
PID 768 wrote to memory of 808	768	Biafnecn.exe	35
PID 768 wrote to memory of 808	768	Biafnecn.exe	35
PID 768 wrote to memory of 808	768	Biafnecn.exe	35
PID 768 wrote to memory of 808	768	Biafnecn.exe	35
PID 808 wrote to memory of 2872	808	Bbikgk32.exe	36
PID 808 wrote to memory of 2872	808	Bbikgk32.exe	36
PID 808 wrote to memory of 2872	808	Bbikgk32.exe	36
PID 808 wrote to memory of 2872	808	Bbikgk32.exe	36
PID 2872 wrote to memory of 2200	2872	Bhfcpb32.exe	37
PID 2872 wrote to memory of 2200	2872	Bhfcpb32.exe	37
PID 2872 wrote to memory of 2200	2872	Bhfcpb32.exe	37
PID 2872 wrote to memory of 2200	2872	Bhfcpb32.exe	37
PID 2200 wrote to memory of 2020	2200	Bmclhi32.exe	38
PID 2200 wrote to memory of 2020	2200	Bmclhi32.exe	38
PID 2200 wrote to memory of 2020	2200	Bmclhi32.exe	38
PID 2200 wrote to memory of 2020	2200	Bmclhi32.exe	38
PID 2020 wrote to memory of 1096	2020	Bhhpeafc.exe	39
PID 2020 wrote to memory of 1096	2020	Bhhpeafc.exe	39
PID 2020 wrote to memory of 1096	2020	Bhhpeafc.exe	39
PID 2020 wrote to memory of 1096	2020	Bhhpeafc.exe	39
PID 1096 wrote to memory of 1960	1096	Bmeimhdj.exe	40
PID 1096 wrote to memory of 1960	1096	Bmeimhdj.exe	40
PID 1096 wrote to memory of 1960	1096	Bmeimhdj.exe	40
PID 1096 wrote to memory of 1960	1096	Bmeimhdj.exe	40
PID 1960 wrote to memory of 860	1960	Chkmkacq.exe	41
PID 1960 wrote to memory of 860	1960	Chkmkacq.exe	41
PID 1960 wrote to memory of 860	1960	Chkmkacq.exe	41
PID 1960 wrote to memory of 860	1960	Chkmkacq.exe	41
PID 860 wrote to memory of 1816	860	Cacacg32.exe	42
PID 860 wrote to memory of 1816	860	Cacacg32.exe	42
PID 860 wrote to memory of 1816	860	Cacacg32.exe	42
PID 860 wrote to memory of 1816	860	Cacacg32.exe	42

C:\Users\Admin\AppData\Local\Temp\aaaba6ed563f2d23e7a33e0c834f88dddb2b341bf8f27d8f471942ce2822841dN.exe
"C:\Users\Admin\AppData\Local\Temp\aaaba6ed563f2d23e7a33e0c834f88dddb2b341bf8f27d8f471942ce2822841dN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\SysWOW64\Apdhjq32.exe
  C:\Windows\system32\Apdhjq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\Bmhideol.exe
    C:\Windows\system32\Bmhideol.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\SysWOW64\Bfpnmj32.exe
      C:\Windows\system32\Bfpnmj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\SysWOW64\Bphbeplm.exe
        
        C:\Windows\system32\Bphbeplm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
      - C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Bmclhi32.exe
        
        C:\Windows\system32\Bmclhi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 140
        14⤵
        Loads dropped DLL
        Program crash
        
        PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Apdhjq32.exe

Filesize
96KB

MD5
e698f2ad570c96d2367a92528c680b55

SHA1
5c5cf1491c1499f8e48de8632d3500ab42eae370

SHA256
289b29bbdb0669a8a5bddfa38de524be183745163f4b3757f1d3244a3c3a8cf2

SHA512
a01f1c4f4f8e9484f689037842fb8f7e88685a4b97b66cc309141b6fa130035c3b6b33dc5df37f7afb2003e976e05db4bec97648eb9a3c5be63f6e8054e92be9

Download Submit
C:\Windows\SysWOW64\Bmclhi32.exe

Filesize
96KB

MD5
9ded3bed9ad56721bbd06c545b826b79

SHA1
5ce07cf8ca6875c2d47c495c30a887c8f5229381

SHA256
529129630c273fe32e08d80fbfa8e29e0711f0c2ead6f3de8e396f66f9138218

SHA512
408c50822bde9e44541b7d7c130ca886d52ec51f0e80f213f31c9fb199cb286ad247a97f9f68a21e17c26bdef98d27d13eb1901e9327460ef3ad5023a2653130

Download Submit
\Windows\SysWOW64\Bbikgk32.exe

Filesize
96KB

MD5
9374cb77b09775f75ce6a5d0404eea88

SHA1
2ea35b71d4e9071f95ede45eb638c91e9b3cb353

SHA256
943d98794e0dbc6f5576fba01a1afe59bfc956cc0510658a02f68470685ab137

SHA512
712a2bb3a61a758ddc883c2210e4f58e4bd5cd31180f4fb96d770621a4fd22250eec2990704f8257e2abe22a016ed2546c842504dca081efaa4c33d16bea6226

Download Submit
\Windows\SysWOW64\Bfpnmj32.exe

Filesize
96KB

MD5
e0308eeb5b8124d2c44ca2483a52d274

SHA1
b69b2068ac4a0d74ea97f8509882b14459d80bfa

SHA256
041c1d7d4353aaaf1a61aa98d575b0609ff10176a9ca0647552ab82ae52ae7f8

SHA512
16372e5eb4857c4cec72cae5be5ab2ea506f936de5688f27d22db2445fdd44772091fc36de421b66e431ce077580dad819d1a1bc99c821d6d55beceecea6175a

Download Submit
\Windows\SysWOW64\Bhfcpb32.exe

Filesize
96KB

MD5
b494d39ba65ce77ff27e0013f424ab2b

SHA1
10a4a480536950c66b7f69d0c097aab9231a8517

SHA256
0a4a52a18fe974b6b421dfc53444afe5c85e5c5e657eaf1544098c60f6841cbd

SHA512
2b496cb9d24b0eed63cfa6b1f3d1e0e44692a6cd40b6b3bd4050ba1c9aaa33aa8a3703fea7c2b84c0abc93dffe58a395db8c9cdfbd52fcfea928fba8ba57d622

Download Submit
\Windows\SysWOW64\Bhhpeafc.exe

Filesize
96KB

MD5
81f5084b3a209a0545840068d49c155c

SHA1
daa4f2b225007ff60a087c019c3c716b0fc7958d

SHA256
d0fcc13447eb8cdce9873af1181e1104c591f61493ccfb8e70ed102b8a7f5404

SHA512
5278a333d7346124903b67a722b06c550b6af74735219d4bf083369e75bbdffe9740df563e5d5ab730aadca7f919c2407aafe786801c16b9bd19a7848e0b28c3

Download Submit
\Windows\SysWOW64\Biafnecn.exe

Filesize
96KB

MD5
775a49603d2dbc2550b878390a6ea3fe

SHA1
ceb6f95931ad07cc3dfb5df52dccbd09e70c78b4

SHA256
3fd76a13b8226489977ccf19f5606b7f1947fcf9e62ecbae25640e79564410ee

SHA512
2c4dfe6312a80f322c3e2c786ff29f5b2803116523621c8b2f9db1096612e5c4061aa09fbcf52879c6a7882b3837bfbd2f0df4534e165079d46d83683ef7160a

Download Submit
\Windows\SysWOW64\Bmeimhdj.exe

Filesize
96KB

MD5
eff33bab1ccf915e35540d9b2172c545

SHA1
cd395ee2b54920f5c8db51ac61a4a887e00bcf26

SHA256
b0700deef1d51a152cbad9c3ae3a62d6d6ce9cf0a9765261bbc061b69b326b5f

SHA512
cc2cd1b3621f664378039f68dd37559df69be0598225d8686a335852561aa0eb1de53f4fc465014815f9965bd7684c24470ccfa936f714314b794439fb51e783

Download Submit
\Windows\SysWOW64\Bmhideol.exe

Filesize
96KB

MD5
824e494532c0bb08d818d55d5a12ecf0

SHA1
2e3623362cd3567cda9391f408c84d3035b90c5d

SHA256
e99180d98b79b380b6cd789001c6b965e81c5c183815be13b0d5c9ee711de3fb

SHA512
1123f4bc59414d364df06790fb610d9691d4fedb0c4f93a00505004fbd490e08d4c230b7cd9effc91a6c6e8ac482325ba8a3636669195933fdb3dc1716fea0df

Download Submit
\Windows\SysWOW64\Bphbeplm.exe

Filesize
96KB

MD5
0dce5010c9898404643949b70d183f72

SHA1
905d50a62bc1dad87734ca0c09e76f1b2ec1b6d7

SHA256
958dcdba4d0a1b24b845ce9ac7b40dfe894f1045fe0aaa530c73082b321da1e0

SHA512
386c31500b04eee1765f39808d12a4f28b0f54d9f2903e7d818bd836c4ffc4e372feff59dd552a63997617c2a9ba4edf78fa7ae8b3e04f65c6aaa8d077dc0191

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
96KB

MD5
19bb5f54a28124c94bc60db0a5e8c129

SHA1
c244dd9595df1cfd9f4041b4a950b65647677059

SHA256
178c25dfc5a32dbf1873cde5193de0424a223b4d1de2c270e1ade11ac1f3b66c

SHA512
9bee06a63daf1faf08247dee401d87cc3c6c8afd4696f2fca80d9950c57475a45a62480de4acb3ba1c71617532436349cc5f8a1fd34160af0859b2196641ae5d

Download Submit
\Windows\SysWOW64\Chkmkacq.exe

Filesize
96KB

MD5
0bb22c14854100b88d1c9dc43c952a24

SHA1
e27d6bc7811b78d39277362ba5425ba97d3f9c83

SHA256
c1b06f5ff2f5087e6313cbe5f8292a7ede7bde358bf3358ba3fb4f7e3e97a285

SHA512
33c2ead0ead6d994a9277720f0659147ce4942fdd3e9f6e332a24410eabb5884227f84fd593f3f2c2b249a59173b7b8608250fb69b344e188d01a914e046927b

Download Submit
memory/768-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-76-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/808-89-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/808-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-141-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1576-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-39-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1576-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-62-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2192-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-115-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2724-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-25-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2820-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-13-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2928-11-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2928-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads