Analysis
-
max time kernel
24s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 09:08
Static task
static1
Behavioral task
behavioral1
Sample
6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5daN.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5daN.exe
Resource
win10v2004-20241007-en
General
-
Target
6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5daN.exe
-
Size
85KB
-
MD5
f84df5a646849c075fc3c1beea495800
-
SHA1
42cdd5414c08f2c12b294c074a58f48338b4b194
-
SHA256
6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5da
-
SHA512
910d7ab8f844329c461728c755af7d54188a40ac89dafeaab058940946f70e126a0b9f9ff1e219513e67dabb96c327f6cc2d779b2c640dbec45686c43b2041ad
-
SSDEEP
1536:yG8htpniMSxSDxDAk0zGCjQ6+EBsZje5dL2LHaMQ262AjCsQ2PCZZrqOlNfVSLUN:yGeiMSxSDxMzka2HaMQH2qC7ZQOlzSLA
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnielm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhdgjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5daN.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdgjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baohhgnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baadng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blkioa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkbam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blaopqpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baohhgnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5daN.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnielm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnkbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blaopqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baadng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blkioa32.exe -
Berbew family
-
Executes dropped EXE 8 IoCs
pid Process 2944 Blkioa32.exe 2964 Bnielm32.exe 2832 Bnkbam32.exe 2700 Bhdgjb32.exe 320 Blaopqpo.exe 584 Baohhgnf.exe 2864 Baadng32.exe 2220 Cacacg32.exe -
Loads dropped DLL 20 IoCs
pid Process 3012 6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5daN.exe 3012 6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5daN.exe 2944 Blkioa32.exe 2944 Blkioa32.exe 2964 Bnielm32.exe 2964 Bnielm32.exe 2832 Bnkbam32.exe 2832 Bnkbam32.exe 2700 Bhdgjb32.exe 2700 Bhdgjb32.exe 320 Blaopqpo.exe 320 Blaopqpo.exe 584 Baohhgnf.exe 584 Baohhgnf.exe 2864 Baadng32.exe 2864 Baadng32.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe -
Drops file in System32 directory 24 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ennlme32.dll Blkioa32.exe File created C:\Windows\SysWOW64\Baohhgnf.exe Blaopqpo.exe File created C:\Windows\SysWOW64\Blaopqpo.exe Bhdgjb32.exe File created C:\Windows\SysWOW64\Cacacg32.exe Baadng32.exe File created C:\Windows\SysWOW64\Blkioa32.exe 6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5daN.exe File opened for modification C:\Windows\SysWOW64\Bnielm32.exe Blkioa32.exe File created C:\Windows\SysWOW64\Nodmbemj.dll Bnielm32.exe File created C:\Windows\SysWOW64\Jbodgd32.dll Bnkbam32.exe File opened for modification C:\Windows\SysWOW64\Baohhgnf.exe Blaopqpo.exe File created C:\Windows\SysWOW64\Nfolbbmp.dll Blaopqpo.exe File created C:\Windows\SysWOW64\Baadng32.exe Baohhgnf.exe File created C:\Windows\SysWOW64\Ljacemio.dll Baohhgnf.exe File created C:\Windows\SysWOW64\Ajpjcomh.dll 6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5daN.exe File created C:\Windows\SysWOW64\Bnielm32.exe Blkioa32.exe File created C:\Windows\SysWOW64\Bnkbam32.exe Bnielm32.exe File opened for modification C:\Windows\SysWOW64\Bhdgjb32.exe Bnkbam32.exe File created C:\Windows\SysWOW64\Cfgheegc.dll Bhdgjb32.exe File opened for modification C:\Windows\SysWOW64\Baadng32.exe Baohhgnf.exe File opened for modification C:\Windows\SysWOW64\Cacacg32.exe Baadng32.exe File created C:\Windows\SysWOW64\Fdlpjk32.dll Baadng32.exe File opened for modification C:\Windows\SysWOW64\Blkioa32.exe 6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5daN.exe File opened for modification C:\Windows\SysWOW64\Bnkbam32.exe Bnielm32.exe File created C:\Windows\SysWOW64\Bhdgjb32.exe Bnkbam32.exe File opened for modification C:\Windows\SysWOW64\Blaopqpo.exe Bhdgjb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2020 2220 WerFault.exe 37 -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5daN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blkioa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnielm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blaopqpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baadng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacacg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkbam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhdgjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baohhgnf.exe -
Modifies registry class 27 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blkioa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbodgd32.dll" Bnkbam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baadng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5daN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5daN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5daN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baohhgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baohhgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baadng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5daN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajpjcomh.dll" 6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5daN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennlme32.dll" Blkioa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blkioa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhdgjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll" Baohhgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnkbam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhdgjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blaopqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blaopqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll" Bhdgjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfolbbmp.dll" Blaopqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnielm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnielm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodmbemj.dll" Bnielm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnkbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll" Baadng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5daN.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2944 3012 6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5daN.exe 30 PID 3012 wrote to memory of 2944 3012 6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5daN.exe 30 PID 3012 wrote to memory of 2944 3012 6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5daN.exe 30 PID 3012 wrote to memory of 2944 3012 6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5daN.exe 30 PID 2944 wrote to memory of 2964 2944 Blkioa32.exe 31 PID 2944 wrote to memory of 2964 2944 Blkioa32.exe 31 PID 2944 wrote to memory of 2964 2944 Blkioa32.exe 31 PID 2944 wrote to memory of 2964 2944 Blkioa32.exe 31 PID 2964 wrote to memory of 2832 2964 Bnielm32.exe 32 PID 2964 wrote to memory of 2832 2964 Bnielm32.exe 32 PID 2964 wrote to memory of 2832 2964 Bnielm32.exe 32 PID 2964 wrote to memory of 2832 2964 Bnielm32.exe 32 PID 2832 wrote to memory of 2700 2832 Bnkbam32.exe 33 PID 2832 wrote to memory of 2700 2832 Bnkbam32.exe 33 PID 2832 wrote to memory of 2700 2832 Bnkbam32.exe 33 PID 2832 wrote to memory of 2700 2832 Bnkbam32.exe 33 PID 2700 wrote to memory of 320 2700 Bhdgjb32.exe 34 PID 2700 wrote to memory of 320 2700 Bhdgjb32.exe 34 PID 2700 wrote to memory of 320 2700 Bhdgjb32.exe 34 PID 2700 wrote to memory of 320 2700 Bhdgjb32.exe 34 PID 320 wrote to memory of 584 320 Blaopqpo.exe 35 PID 320 wrote to memory of 584 320 Blaopqpo.exe 35 PID 320 wrote to memory of 584 320 Blaopqpo.exe 35 PID 320 wrote to memory of 584 320 Blaopqpo.exe 35 PID 584 wrote to memory of 2864 584 Baohhgnf.exe 36 PID 584 wrote to memory of 2864 584 Baohhgnf.exe 36 PID 584 wrote to memory of 2864 584 Baohhgnf.exe 36 PID 584 wrote to memory of 2864 584 Baohhgnf.exe 36 PID 2864 wrote to memory of 2220 2864 Baadng32.exe 37 PID 2864 wrote to memory of 2220 2864 Baadng32.exe 37 PID 2864 wrote to memory of 2220 2864 Baadng32.exe 37 PID 2864 wrote to memory of 2220 2864 Baadng32.exe 37 PID 2220 wrote to memory of 2020 2220 Cacacg32.exe 38 PID 2220 wrote to memory of 2020 2220 Cacacg32.exe 38 PID 2220 wrote to memory of 2020 2220 Cacacg32.exe 38 PID 2220 wrote to memory of 2020 2220 Cacacg32.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5daN.exe"C:\Users\Admin\AppData\Local\Temp\6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5daN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Blkioa32.exeC:\Windows\system32\Blkioa32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Bnielm32.exeC:\Windows\system32\Bnielm32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Bnkbam32.exeC:\Windows\system32\Bnkbam32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Bhdgjb32.exeC:\Windows\system32\Bhdgjb32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Blaopqpo.exeC:\Windows\system32\Blaopqpo.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Baohhgnf.exeC:\Windows\system32\Baohhgnf.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Baadng32.exeC:\Windows\system32\Baadng32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Cacacg32.exeC:\Windows\system32\Cacacg32.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 14010⤵
- Loads dropped DLL
- Program crash
PID:2020
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
85KB
MD54e02ea3da6f8e14f33cdcbdc83d6072a
SHA1fa3f52e56e13a0750d8ed8c0fe0dff69b69d9368
SHA25688a8e10a34bcd1235d46995548475a28097891e06122550d1247840fa87c7ba7
SHA51202b3723206dcf51978bcec1a98cd865f95d1a35374f131809ded1575734a66eec0578c1a0554479f4410280ac5ec39f7bde50ac731eda0adb7daa9b15ed2f8ca
-
Filesize
85KB
MD5d2552f15e5fc8ca1ee204f8c2b875cc5
SHA1882f67c66d2ff2adfdacfb2c0383fb4ad52761a3
SHA256f5c8c7961601f1055c2b099535b0d10a3e0332fff54d978d3694eaf2ec597ea2
SHA512cd2c9b44de234c9460aa801f41979ca6a82f8189354ade03c2f396c91aa38f0159fa7262001681ceefafd1d1ffb6cef186513fb270b28c3a0272367cf3ecbab8
-
Filesize
85KB
MD53a83dc929d2202a711d68cb9cfa0206e
SHA1c58549e65813d89b442ccf860230ca910a7b2140
SHA256fe839823ef27d583594ce444d61418003f422b8f71c289f41f729ff4ba12d653
SHA5127c1937ca3c208bd68fa6b1788a6b382a68a6f43481415b753421759ea1caec6511011ab51b3cbc3a35b01f119e0008cabc75787c39aa9d768172efc12e1a0fc0
-
Filesize
85KB
MD576c4457859690be246bf845cebb9ac87
SHA11af2c4dc3c77cd607ab266e7b4cd629194971155
SHA256fa323bd7e86eb2ae03bd951beb09c7bd8295716a86d6011e18c8d9ec8d3ec079
SHA51267e6d97054522c2c7df924e5d540506518abfa76b7786fff405343eb51e174ed497a66285762376a25004c8091bf19aee62c8f4a7fb93473fe9ca72b8351fa6d
-
Filesize
85KB
MD50369cb650ec79015579a213e9bd28787
SHA12d02157206a7dcdf3ce6aba49ec2201a97b60a5b
SHA25628265d953fc2513265b8db47d4b32571c0d10c78092a768254d8f1cc8f3837ab
SHA5120b14f74f4c21e02b7ee42d501c4ef60f92790a3cf02bd3ed328a0f17baf3f065e49cc8cab82b0ac29fa84481bb397c0ef5648275ec594777d62e5d5cc46720be
-
Filesize
85KB
MD5251dd1fcb5b2924893aee97290d2f6d0
SHA1528f2e4eccd4a0423e0986ab1ef67915e5b8f2bb
SHA25658694bb9a8b684fcd4d2b75eeaab997f706dac46434f13068bc0e3725eb193f4
SHA512df101ac5d896347d1cf9d571bf9f41bd4b88619b30c3862c872d414cd695e9611e2f13fad3f4dca5467ce6f93827e5a20c5eb02cc284e952aabbb30a407dbfc6
-
Filesize
85KB
MD587f5ae7f2970477ca17989799e537ac5
SHA14624c8403bc00890a7b5014f72f04b2c426c0310
SHA256e74149614c5f0f552a9ac834b4e6c8ef697af7ea785e3bf07e965362725e9af7
SHA512e4a30b859fdb43956a39e72139e87058cf7b40a473b9c703833e9aaca48061a3ba96530c1a2568e4f7b0722f36871947134eb931413ddecb3341e01d27186671
-
Filesize
85KB
MD563c86ab7fc508f72029ba2a302cdd461
SHA1b94b08241a4b3b0ad109e16e1a8498c0d0adb9d0
SHA256285486cd1ba6aad2510aef9ab5a2bfc7950b6e42a740fa0ec9350868dbf62f52
SHA51265d056b60e45c36346e85d1a89f220e63d2fbb46639c95b6314207614d0a20e077cd829d6afd96d6a7ecf8ce719400099aa9bdfe127ef938d0d7fd462e60356b