Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 05:55
Static task
static1
Behavioral task
behavioral1
Sample
e43ccadd1aa963ddad51c4740ba50d7c988ba9a6e7fc55c8f9efd0e4e47a554eN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
e43ccadd1aa963ddad51c4740ba50d7c988ba9a6e7fc55c8f9efd0e4e47a554eN.exe
Resource
win10v2004-20241007-en
General
-
Target
e43ccadd1aa963ddad51c4740ba50d7c988ba9a6e7fc55c8f9efd0e4e47a554eN.exe
-
Size
69KB
-
MD5
790be529d619ff149c9d45ba59acc900
-
SHA1
824ce3c6fdf5cc8e064553757e64b6d130942a99
-
SHA256
e43ccadd1aa963ddad51c4740ba50d7c988ba9a6e7fc55c8f9efd0e4e47a554e
-
SHA512
a45887c60f347a5cc85e0d7f6adcd68c0bf87b1fe55b579ba02edf90cb2303672bbacbea781e002e6e31d102dd22b3bbfc56002f1734314ff0a69f60dc78544f
-
SSDEEP
1536:VwMDlo75QZL9HdHjg8dZavfcvxcNein/GFZCeDAyN:Vw0lo7EL3DgOocvuNFn/GFZC1yN
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" e43ccadd1aa963ddad51c4740ba50d7c988ba9a6e7fc55c8f9efd0e4e47a554eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbbpenco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfkloq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cepipm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbdiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnkjnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmgjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abmgjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqijljfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjdndjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqijljfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bigkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bigkel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkjnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad e43ccadd1aa963ddad51c4740ba50d7c988ba9a6e7fc55c8f9efd0e4e47a554eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akfkbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbpenco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cepipm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbdiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceebklai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akfkbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkjdndjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfkloq32.exe -
Berbew family
-
Executes dropped EXE 12 IoCs
pid Process 324 Abmgjo32.exe 1700 Akfkbd32.exe 1080 Bbbpenco.exe 2908 Bkjdndjo.exe 2468 Bqijljfd.exe 2656 Bigkel32.exe 2628 Cfkloq32.exe 2124 Cepipm32.exe 672 Cbdiia32.exe 2976 Cnkjnb32.exe 1176 Ceebklai.exe 2184 Dpapaj32.exe -
Loads dropped DLL 27 IoCs
pid Process 2064 e43ccadd1aa963ddad51c4740ba50d7c988ba9a6e7fc55c8f9efd0e4e47a554eN.exe 2064 e43ccadd1aa963ddad51c4740ba50d7c988ba9a6e7fc55c8f9efd0e4e47a554eN.exe 324 Abmgjo32.exe 324 Abmgjo32.exe 1700 Akfkbd32.exe 1700 Akfkbd32.exe 1080 Bbbpenco.exe 1080 Bbbpenco.exe 2908 Bkjdndjo.exe 2908 Bkjdndjo.exe 2468 Bqijljfd.exe 2468 Bqijljfd.exe 2656 Bigkel32.exe 2656 Bigkel32.exe 2628 Cfkloq32.exe 2628 Cfkloq32.exe 2124 Cepipm32.exe 2124 Cepipm32.exe 672 Cbdiia32.exe 672 Cbdiia32.exe 2976 Cnkjnb32.exe 2976 Cnkjnb32.exe 1176 Ceebklai.exe 1176 Ceebklai.exe 2400 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe -
Drops file in System32 directory 36 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bbbpenco.exe Akfkbd32.exe File created C:\Windows\SysWOW64\Cnkjnb32.exe Cbdiia32.exe File opened for modification C:\Windows\SysWOW64\Cnkjnb32.exe Cbdiia32.exe File created C:\Windows\SysWOW64\Dpapaj32.exe Ceebklai.exe File created C:\Windows\SysWOW64\Aebfidim.dll e43ccadd1aa963ddad51c4740ba50d7c988ba9a6e7fc55c8f9efd0e4e47a554eN.exe File created C:\Windows\SysWOW64\Gdgqdaoh.dll Cfkloq32.exe File created C:\Windows\SysWOW64\Akfkbd32.exe Abmgjo32.exe File opened for modification C:\Windows\SysWOW64\Akfkbd32.exe Abmgjo32.exe File opened for modification C:\Windows\SysWOW64\Ceebklai.exe Cnkjnb32.exe File created C:\Windows\SysWOW64\Abmgjo32.exe e43ccadd1aa963ddad51c4740ba50d7c988ba9a6e7fc55c8f9efd0e4e47a554eN.exe File opened for modification C:\Windows\SysWOW64\Abmgjo32.exe e43ccadd1aa963ddad51c4740ba50d7c988ba9a6e7fc55c8f9efd0e4e47a554eN.exe File created C:\Windows\SysWOW64\Lkknbejg.dll Bbbpenco.exe File created C:\Windows\SysWOW64\Bigkel32.exe Bqijljfd.exe File created C:\Windows\SysWOW64\Cfkloq32.exe Bigkel32.exe File opened for modification C:\Windows\SysWOW64\Cfkloq32.exe Bigkel32.exe File opened for modification C:\Windows\SysWOW64\Cepipm32.exe Cfkloq32.exe File created C:\Windows\SysWOW64\Liempneg.dll Cbdiia32.exe File opened for modification C:\Windows\SysWOW64\Bbbpenco.exe Akfkbd32.exe File opened for modification C:\Windows\SysWOW64\Bkjdndjo.exe Bbbpenco.exe File created C:\Windows\SysWOW64\Bqijljfd.exe Bkjdndjo.exe File opened for modification C:\Windows\SysWOW64\Bigkel32.exe Bqijljfd.exe File created C:\Windows\SysWOW64\Oinhifdq.dll Bqijljfd.exe File created C:\Windows\SysWOW64\Cbdiia32.exe Cepipm32.exe File opened for modification C:\Windows\SysWOW64\Cbdiia32.exe Cepipm32.exe File created C:\Windows\SysWOW64\Ceebklai.exe Cnkjnb32.exe File created C:\Windows\SysWOW64\Kgloog32.dll Cnkjnb32.exe File created C:\Windows\SysWOW64\Pdkefp32.dll Ceebklai.exe File created C:\Windows\SysWOW64\Jcojqm32.dll Akfkbd32.exe File opened for modification C:\Windows\SysWOW64\Bqijljfd.exe Bkjdndjo.exe File created C:\Windows\SysWOW64\Cepipm32.exe Cfkloq32.exe File created C:\Windows\SysWOW64\Gggpgo32.dll Abmgjo32.exe File created C:\Windows\SysWOW64\Oghnkh32.dll Bigkel32.exe File created C:\Windows\SysWOW64\Bkjdndjo.exe Bbbpenco.exe File created C:\Windows\SysWOW64\Dgnenf32.dll Bkjdndjo.exe File created C:\Windows\SysWOW64\Fhgpia32.dll Cepipm32.exe File opened for modification C:\Windows\SysWOW64\Dpapaj32.exe Ceebklai.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\system32†Daplkmbg.¿xe Dpapaj32.exe File opened for modification C:\Windows\system32†Daplkmbg.¿xe Dpapaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2400 2184 WerFault.exe 42 -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cepipm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkjnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpapaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e43ccadd1aa963ddad51c4740ba50d7c988ba9a6e7fc55c8f9efd0e4e47a554eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akfkbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjdndjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqijljfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfkloq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abmgjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbbpenco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bigkel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdiia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceebklai.exe -
Modifies registry class 39 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cepipm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceebklai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abmgjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggpgo32.dll" Abmgjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkknbejg.dll" Bbbpenco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bigkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll" Cepipm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll" Bqijljfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll" Cfkloq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll" Bigkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bigkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcojqm32.dll" Akfkbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akfkbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbbpenco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll" Bkjdndjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkjdndjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqijljfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfkloq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll" Cbdiia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cepipm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnkjnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node e43ccadd1aa963ddad51c4740ba50d7c988ba9a6e7fc55c8f9efd0e4e47a554eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} e43ccadd1aa963ddad51c4740ba50d7c988ba9a6e7fc55c8f9efd0e4e47a554eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" e43ccadd1aa963ddad51c4740ba50d7c988ba9a6e7fc55c8f9efd0e4e47a554eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akfkbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqijljfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbdiia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 e43ccadd1aa963ddad51c4740ba50d7c988ba9a6e7fc55c8f9efd0e4e47a554eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbbpenco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkjdndjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnkjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll" Cnkjnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceebklai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID e43ccadd1aa963ddad51c4740ba50d7c988ba9a6e7fc55c8f9efd0e4e47a554eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebfidim.dll" e43ccadd1aa963ddad51c4740ba50d7c988ba9a6e7fc55c8f9efd0e4e47a554eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abmgjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfkloq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbdiia32.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 2064 wrote to memory of 324 2064 e43ccadd1aa963ddad51c4740ba50d7c988ba9a6e7fc55c8f9efd0e4e47a554eN.exe 30 PID 2064 wrote to memory of 324 2064 e43ccadd1aa963ddad51c4740ba50d7c988ba9a6e7fc55c8f9efd0e4e47a554eN.exe 30 PID 2064 wrote to memory of 324 2064 e43ccadd1aa963ddad51c4740ba50d7c988ba9a6e7fc55c8f9efd0e4e47a554eN.exe 30 PID 2064 wrote to memory of 324 2064 e43ccadd1aa963ddad51c4740ba50d7c988ba9a6e7fc55c8f9efd0e4e47a554eN.exe 30 PID 324 wrote to memory of 1700 324 Abmgjo32.exe 31 PID 324 wrote to memory of 1700 324 Abmgjo32.exe 31 PID 324 wrote to memory of 1700 324 Abmgjo32.exe 31 PID 324 wrote to memory of 1700 324 Abmgjo32.exe 31 PID 1700 wrote to memory of 1080 1700 Akfkbd32.exe 33 PID 1700 wrote to memory of 1080 1700 Akfkbd32.exe 33 PID 1700 wrote to memory of 1080 1700 Akfkbd32.exe 33 PID 1700 wrote to memory of 1080 1700 Akfkbd32.exe 33 PID 1080 wrote to memory of 2908 1080 Bbbpenco.exe 34 PID 1080 wrote to memory of 2908 1080 Bbbpenco.exe 34 PID 1080 wrote to memory of 2908 1080 Bbbpenco.exe 34 PID 1080 wrote to memory of 2908 1080 Bbbpenco.exe 34 PID 2908 wrote to memory of 2468 2908 Bkjdndjo.exe 35 PID 2908 wrote to memory of 2468 2908 Bkjdndjo.exe 35 PID 2908 wrote to memory of 2468 2908 Bkjdndjo.exe 35 PID 2908 wrote to memory of 2468 2908 Bkjdndjo.exe 35 PID 2468 wrote to memory of 2656 2468 Bqijljfd.exe 36 PID 2468 wrote to memory of 2656 2468 Bqijljfd.exe 36 PID 2468 wrote to memory of 2656 2468 Bqijljfd.exe 36 PID 2468 wrote to memory of 2656 2468 Bqijljfd.exe 36 PID 2656 wrote to memory of 2628 2656 Bigkel32.exe 37 PID 2656 wrote to memory of 2628 2656 Bigkel32.exe 37 PID 2656 wrote to memory of 2628 2656 Bigkel32.exe 37 PID 2656 wrote to memory of 2628 2656 Bigkel32.exe 37 PID 2628 wrote to memory of 2124 2628 Cfkloq32.exe 38 PID 2628 wrote to memory of 2124 2628 Cfkloq32.exe 38 PID 2628 wrote to memory of 2124 2628 Cfkloq32.exe 38 PID 2628 wrote to memory of 2124 2628 Cfkloq32.exe 38 PID 2124 wrote to memory of 672 2124 Cepipm32.exe 39 PID 2124 wrote to memory of 672 2124 Cepipm32.exe 39 PID 2124 wrote to memory of 672 2124 Cepipm32.exe 39 PID 2124 wrote to memory of 672 2124 Cepipm32.exe 39 PID 672 wrote to memory of 2976 672 Cbdiia32.exe 40 PID 672 wrote to memory of 2976 672 Cbdiia32.exe 40 PID 672 wrote to memory of 2976 672 Cbdiia32.exe 40 PID 672 wrote to memory of 2976 672 Cbdiia32.exe 40 PID 2976 wrote to memory of 1176 2976 Cnkjnb32.exe 41 PID 2976 wrote to memory of 1176 2976 Cnkjnb32.exe 41 PID 2976 wrote to memory of 1176 2976 Cnkjnb32.exe 41 PID 2976 wrote to memory of 1176 2976 Cnkjnb32.exe 41 PID 1176 wrote to memory of 2184 1176 Ceebklai.exe 42 PID 1176 wrote to memory of 2184 1176 Ceebklai.exe 42 PID 1176 wrote to memory of 2184 1176 Ceebklai.exe 42 PID 1176 wrote to memory of 2184 1176 Ceebklai.exe 42 PID 2184 wrote to memory of 2400 2184 Dpapaj32.exe 43 PID 2184 wrote to memory of 2400 2184 Dpapaj32.exe 43 PID 2184 wrote to memory of 2400 2184 Dpapaj32.exe 43 PID 2184 wrote to memory of 2400 2184 Dpapaj32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\e43ccadd1aa963ddad51c4740ba50d7c988ba9a6e7fc55c8f9efd0e4e47a554eN.exe"C:\Users\Admin\AppData\Local\Temp\e43ccadd1aa963ddad51c4740ba50d7c988ba9a6e7fc55c8f9efd0e4e47a554eN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Abmgjo32.exeC:\Windows\system32\Abmgjo32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Akfkbd32.exeC:\Windows\system32\Akfkbd32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Bbbpenco.exeC:\Windows\system32\Bbbpenco.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Bkjdndjo.exeC:\Windows\system32\Bkjdndjo.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Bqijljfd.exeC:\Windows\system32\Bqijljfd.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Bigkel32.exeC:\Windows\system32\Bigkel32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Cfkloq32.exeC:\Windows\system32\Cfkloq32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Cepipm32.exeC:\Windows\system32\Cepipm32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Cbdiia32.exeC:\Windows\system32\Cbdiia32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\Cnkjnb32.exeC:\Windows\system32\Cnkjnb32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Ceebklai.exeC:\Windows\system32\Ceebklai.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Dpapaj32.exeC:\Windows\system32\Dpapaj32.exe13⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 14414⤵
- Loads dropped DLL
- Program crash
PID:2400
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69KB
MD51593cca52d6da2a54c79b74f647dabe5
SHA1e4d6bc6d680bb73abaf814005b7c0f6eb818877b
SHA256b7bb995094a1663843595be4d6505b8343cb631e7cb9c8d4775edef7b419cc93
SHA512c257297563b0dd560b6c0070b9776ba3d2b5499ae1b085cd19ecee550a674f4bc270999c7ed7d763472cc4e37fa34f4580d805511f97212a6ed375a7a82c6941
-
Filesize
69KB
MD5361433784d65a11e55f4a79b6143a145
SHA1640e0b2eac37fcd23b5ca2ba8cfa2df963363e1f
SHA256ffbbc3027bda174b3544f2296805841b48e3757a334fc29abfbaf5ba81e8ec25
SHA5124aa6533b02c542a1559cd5cf1f1cb7d673534cf84a2792089568c3fc93d2eaf71ef35e7e7dbc56ede6c679ba20976d3b3865860f7637afa0eb3322ad13381420
-
Filesize
69KB
MD5686e3a44eb1d75e632986deff179347d
SHA16f5bfbd8b614ba4f5fe2fbf7b92437ba98ea9286
SHA256ff72adedcc06bd441591f27bd6dd4d4845d198a8950140d97c9b457a61543d85
SHA5122554d1bdc460c4851b3a49b5b6c22440e76d0b06231dd7091ded3402fb458fe10bb771ac63781bba2ff09ffd2c77055295cdad205242f99c02b553a72abba6dc
-
Filesize
69KB
MD5572db954954407b8df177595e3de21a5
SHA11e646d49752ac6709fb8c76c1dd3c80bed68ea56
SHA2566d1ad4e3dc5e0680c044b9fb6b4390b88c5059f3aaaba8cb007145ed395411a3
SHA5127198878381196d0f7497e9766bac206a73883756155b339f4006393fb0fea8a10986843350dcf41d0dcf8f7ba42b759884095f1e754e38177eacd524f6cdefcd
-
Filesize
69KB
MD528676e98b580f54b378766267a4c8044
SHA1af7ef803bc60c10c9d430fcfbb97a7149b9525c9
SHA256c08259ca977e104bd721a9424f02358c244223b83052282414cbd38880273a0d
SHA51209183fc82695d87894e3265b1eb5d239aea1908e8076b815c94b36f2dae535a439a657ce5eddef21e057b0d7ce537da8dd8d2851a74c21b6eeb69d8f000af89f
-
Filesize
69KB
MD5820f9d2e44a761614ea591e95f253182
SHA188cfa485a989abb9f818074d4405469766e0b329
SHA2562bc4b05f67b24e0b46e38afa6e76e5fa7faea1699124b642c1a251cb021de43c
SHA512a250fb077a1c715cce240666b69dddf22ed978259e27f0f424dfd9fbd02e2a9f71f1473f4b6acaeb5692fb276bc528cdab28ea4b447d2e75cdfc94c133bbac2f
-
Filesize
69KB
MD5ac6b3245243b3cfcd12951e17c983260
SHA1cb0527c11d322bf29f399fc627d317a9f570e4d6
SHA2563dfa9c30116ac850738da080d7f0e13c71d9ef14cff4a68de054aa743e681768
SHA512ef5f486e0adb360f163f9c37aa1d065c96cb8e056986a5a8a28c35852f581610725ee3ec4cf57985956d9399f1cd12b4f48745d2b524037be97c8883daf26792
-
Filesize
69KB
MD59cc2e3a9885a065058c7a47d42af4175
SHA1e2b20ccceef3a36aa2b3b0a58c697fdddfbe92a2
SHA256f9ccab00e4179dd82350aa7052181d4476c1a0185036d50dd34a7e9530787747
SHA512dddd243d46c1b3d67143f7fc7af39e0b5375a7d1f40649c52e88afeb866a2021cc85f04a7d42565e9815d36186758804f3fdffb42b07038c487bc12d0345f959
-
Filesize
69KB
MD5a719e04c47efabe4b9f290f87a1cd4b8
SHA11975de7a02a65dcf591686b2155aa9c11961427a
SHA256e874dc98f1d963289a87819e692a85cd4eee42b8cfc221d6824d55893a85de09
SHA5124e5377d48f619c6d3c57279b782c68d145c17c1fae8d92e2aa17e5fe24a698c1737b9f76497da07a3c355e1b07662cd604be3eff379fb53dfaa171865a6d2039
-
Filesize
69KB
MD5c03788c4090d96507315f392d1f54d16
SHA1dfca3048f6669d23f3947615a3984faa11e56f84
SHA2568b8982ebe191dc9e1661f88deba3336ea3b0f5872ba3d1b6064c8f29747c9e86
SHA5125fce5b02b850a8e6851da8bfb1255e795b94835f00d82aecc54b5d48f4289d4b90119a5e5f03ab8c33bd70f46728faf39766c34c8324f88b27ad5084d1245409
-
Filesize
69KB
MD567d02a48b95a370171b9c00a6ac25b01
SHA1501f5070a1d203615c1ad29d01c40a0727df223b
SHA25645c903e79a95ab6463d970f91d6adb8e0168032f0a853c44b0c723a8f7cfeea6
SHA512759b69a55020f8f0d45f36e3a902d57bd98283f63566633914d7b6591d99dfe5878b598691d39a73d665ce14de42578d7c00d439b3c08414616ecd380fbd0e6d
-
Filesize
69KB
MD5828453c8a2290878e63a33bf36f994cb
SHA1fdc83e4bb7194d75e03e26b265dfd735bea13cda
SHA2568d18f243a5ac3b65874515bcad497aa6c783fa02982dbda5c8efd107e85f58d3
SHA51299144944764099fd043a977ec846f0c3202c212f9de3c7af96647b88515f1d07cdc10b0a2c433cb89a06f97b279d4559710760324f77bc3de6070a6eead3612f