Analysis
-
max time kernel
24s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 09:15
Static task
static1
Behavioral task
behavioral1
Sample
5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4N.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4N.exe
Resource
win10v2004-20241007-en
General
-
Target
5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4N.exe
-
Size
97KB
-
MD5
ceb0c7f83ecc49b2bdfb6df1cb8c0650
-
SHA1
fe9a95a2e8435171b783bd25d5de57e2fdd1080f
-
SHA256
5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4
-
SHA512
9ae89204edbd442968459947c0ddd6ceb505675a71654878af09a35d098dde93c24f5e28a0f8b7b297e125315be4901e3eb6518cb1bc12f2dafdda9a5461d774
-
SSDEEP
1536:AInrUTbBc0XOVhOqXQiQtDdLLXUwXfzwE57pvJXeYZ6:tnrIBSVhciQNdLfPzwm7pJXeK6
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbikgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhhpeafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amelne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afnagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afnagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnkbam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biafnecn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdoajb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biojif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biafnecn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfcpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmeimhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amelne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfeppop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpfeppop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmclhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmeimhdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdoajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biojif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbikgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhfcpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmclhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhpeafc.exe -
Berbew family
-
Executes dropped EXE 13 IoCs
pid Process 2948 Amelne32.exe 2956 Afnagk32.exe 2840 Bpfeppop.exe 2732 Biojif32.exe 2164 Bnkbam32.exe 644 Biafnecn.exe 836 Bbikgk32.exe 2260 Bhfcpb32.exe 760 Bmclhi32.exe 848 Bhhpeafc.exe 2032 Bmeimhdj.exe 2736 Cdoajb32.exe 1816 Cacacg32.exe -
Loads dropped DLL 30 IoCs
pid Process 2816 5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4N.exe 2816 5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4N.exe 2948 Amelne32.exe 2948 Amelne32.exe 2956 Afnagk32.exe 2956 Afnagk32.exe 2840 Bpfeppop.exe 2840 Bpfeppop.exe 2732 Biojif32.exe 2732 Biojif32.exe 2164 Bnkbam32.exe 2164 Bnkbam32.exe 644 Biafnecn.exe 644 Biafnecn.exe 836 Bbikgk32.exe 836 Bbikgk32.exe 2260 Bhfcpb32.exe 2260 Bhfcpb32.exe 760 Bmclhi32.exe 760 Bmclhi32.exe 848 Bhhpeafc.exe 848 Bhhpeafc.exe 2032 Bmeimhdj.exe 2032 Bmeimhdj.exe 2736 Cdoajb32.exe 2736 Cdoajb32.exe 1428 WerFault.exe 1428 WerFault.exe 1428 WerFault.exe 1428 WerFault.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bbikgk32.exe Biafnecn.exe File opened for modification C:\Windows\SysWOW64\Bbikgk32.exe Biafnecn.exe File created C:\Windows\SysWOW64\Bmeimhdj.exe Bhhpeafc.exe File created C:\Windows\SysWOW64\Dnabbkhk.dll Bmeimhdj.exe File opened for modification C:\Windows\SysWOW64\Cacacg32.exe Cdoajb32.exe File opened for modification C:\Windows\SysWOW64\Afnagk32.exe Amelne32.exe File created C:\Windows\SysWOW64\Mmdgdp32.dll Bpfeppop.exe File created C:\Windows\SysWOW64\Nodmbemj.dll Biojif32.exe File created C:\Windows\SysWOW64\Biafnecn.exe Bnkbam32.exe File created C:\Windows\SysWOW64\Cdoajb32.exe Bmeimhdj.exe File created C:\Windows\SysWOW64\Cacacg32.exe Cdoajb32.exe File opened for modification C:\Windows\SysWOW64\Biojif32.exe Bpfeppop.exe File opened for modification C:\Windows\SysWOW64\Bhfcpb32.exe Bbikgk32.exe File created C:\Windows\SysWOW64\Bmclhi32.exe Bhfcpb32.exe File created C:\Windows\SysWOW64\Opacnnhp.dll Bhfcpb32.exe File opened for modification C:\Windows\SysWOW64\Bpfeppop.exe Afnagk32.exe File created C:\Windows\SysWOW64\Bnkbam32.exe Biojif32.exe File created C:\Windows\SysWOW64\Deokbacp.dll Bnkbam32.exe File created C:\Windows\SysWOW64\Bhhpeafc.exe Bmclhi32.exe File created C:\Windows\SysWOW64\Amelne32.exe 5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4N.exe File created C:\Windows\SysWOW64\Ebjnie32.dll 5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4N.exe File created C:\Windows\SysWOW64\Pqncgcah.dll Afnagk32.exe File created C:\Windows\SysWOW64\Biojif32.exe Bpfeppop.exe File created C:\Windows\SysWOW64\Abacpl32.dll Biafnecn.exe File created C:\Windows\SysWOW64\Oimbjlde.dll Bhhpeafc.exe File opened for modification C:\Windows\SysWOW64\Bmclhi32.exe Bhfcpb32.exe File opened for modification C:\Windows\SysWOW64\Bhhpeafc.exe Bmclhi32.exe File opened for modification C:\Windows\SysWOW64\Amelne32.exe 5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4N.exe File created C:\Windows\SysWOW64\Afnagk32.exe Amelne32.exe File created C:\Windows\SysWOW64\Mgjcep32.dll Amelne32.exe File opened for modification C:\Windows\SysWOW64\Bnkbam32.exe Biojif32.exe File created C:\Windows\SysWOW64\Bhfcpb32.exe Bbikgk32.exe File created C:\Windows\SysWOW64\Mlcpdacl.dll Bbikgk32.exe File created C:\Windows\SysWOW64\Jodjlm32.dll Bmclhi32.exe File opened for modification C:\Windows\SysWOW64\Bmeimhdj.exe Bhhpeafc.exe File opened for modification C:\Windows\SysWOW64\Cdoajb32.exe Bmeimhdj.exe File created C:\Windows\SysWOW64\Bpfeppop.exe Afnagk32.exe File opened for modification C:\Windows\SysWOW64\Biafnecn.exe Bnkbam32.exe File created C:\Windows\SysWOW64\Fdlpjk32.dll Cdoajb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1428 1816 WerFault.exe 42 -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amelne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afnagk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biafnecn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhfcpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmeimhdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpfeppop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbikgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmclhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biojif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhhpeafc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacacg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkbam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdoajb32.exe -
Modifies registry class 42 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmclhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjnie32.dll" 5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpfeppop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnkbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deokbacp.dll" Bnkbam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbikgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbikgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amelne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afnagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqncgcah.dll" Afnagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhhpeafc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmeimhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll" Bpfeppop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biafnecn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll" Bhfcpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmclhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll" Bmeimhdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afnagk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpfeppop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biojif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnkbam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhhpeafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll" Bhhpeafc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodmbemj.dll" Biojif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhfcpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhfcpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amelne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgjcep32.dll" Amelne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll" Bbikgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodjlm32.dll" Bmclhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmeimhdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biojif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abacpl32.dll" Biafnecn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biafnecn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdoajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll" Cdoajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdoajb32.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 2816 wrote to memory of 2948 2816 5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4N.exe 30 PID 2816 wrote to memory of 2948 2816 5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4N.exe 30 PID 2816 wrote to memory of 2948 2816 5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4N.exe 30 PID 2816 wrote to memory of 2948 2816 5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4N.exe 30 PID 2948 wrote to memory of 2956 2948 Amelne32.exe 31 PID 2948 wrote to memory of 2956 2948 Amelne32.exe 31 PID 2948 wrote to memory of 2956 2948 Amelne32.exe 31 PID 2948 wrote to memory of 2956 2948 Amelne32.exe 31 PID 2956 wrote to memory of 2840 2956 Afnagk32.exe 32 PID 2956 wrote to memory of 2840 2956 Afnagk32.exe 32 PID 2956 wrote to memory of 2840 2956 Afnagk32.exe 32 PID 2956 wrote to memory of 2840 2956 Afnagk32.exe 32 PID 2840 wrote to memory of 2732 2840 Bpfeppop.exe 33 PID 2840 wrote to memory of 2732 2840 Bpfeppop.exe 33 PID 2840 wrote to memory of 2732 2840 Bpfeppop.exe 33 PID 2840 wrote to memory of 2732 2840 Bpfeppop.exe 33 PID 2732 wrote to memory of 2164 2732 Biojif32.exe 34 PID 2732 wrote to memory of 2164 2732 Biojif32.exe 34 PID 2732 wrote to memory of 2164 2732 Biojif32.exe 34 PID 2732 wrote to memory of 2164 2732 Biojif32.exe 34 PID 2164 wrote to memory of 644 2164 Bnkbam32.exe 35 PID 2164 wrote to memory of 644 2164 Bnkbam32.exe 35 PID 2164 wrote to memory of 644 2164 Bnkbam32.exe 35 PID 2164 wrote to memory of 644 2164 Bnkbam32.exe 35 PID 644 wrote to memory of 836 644 Biafnecn.exe 36 PID 644 wrote to memory of 836 644 Biafnecn.exe 36 PID 644 wrote to memory of 836 644 Biafnecn.exe 36 PID 644 wrote to memory of 836 644 Biafnecn.exe 36 PID 836 wrote to memory of 2260 836 Bbikgk32.exe 37 PID 836 wrote to memory of 2260 836 Bbikgk32.exe 37 PID 836 wrote to memory of 2260 836 Bbikgk32.exe 37 PID 836 wrote to memory of 2260 836 Bbikgk32.exe 37 PID 2260 wrote to memory of 760 2260 Bhfcpb32.exe 38 PID 2260 wrote to memory of 760 2260 Bhfcpb32.exe 38 PID 2260 wrote to memory of 760 2260 Bhfcpb32.exe 38 PID 2260 wrote to memory of 760 2260 Bhfcpb32.exe 38 PID 760 wrote to memory of 848 760 Bmclhi32.exe 39 PID 760 wrote to memory of 848 760 Bmclhi32.exe 39 PID 760 wrote to memory of 848 760 Bmclhi32.exe 39 PID 760 wrote to memory of 848 760 Bmclhi32.exe 39 PID 848 wrote to memory of 2032 848 Bhhpeafc.exe 40 PID 848 wrote to memory of 2032 848 Bhhpeafc.exe 40 PID 848 wrote to memory of 2032 848 Bhhpeafc.exe 40 PID 848 wrote to memory of 2032 848 Bhhpeafc.exe 40 PID 2032 wrote to memory of 2736 2032 Bmeimhdj.exe 41 PID 2032 wrote to memory of 2736 2032 Bmeimhdj.exe 41 PID 2032 wrote to memory of 2736 2032 Bmeimhdj.exe 41 PID 2032 wrote to memory of 2736 2032 Bmeimhdj.exe 41 PID 2736 wrote to memory of 1816 2736 Cdoajb32.exe 42 PID 2736 wrote to memory of 1816 2736 Cdoajb32.exe 42 PID 2736 wrote to memory of 1816 2736 Cdoajb32.exe 42 PID 2736 wrote to memory of 1816 2736 Cdoajb32.exe 42 PID 1816 wrote to memory of 1428 1816 Cacacg32.exe 43 PID 1816 wrote to memory of 1428 1816 Cacacg32.exe 43 PID 1816 wrote to memory of 1428 1816 Cacacg32.exe 43 PID 1816 wrote to memory of 1428 1816 Cacacg32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4N.exe"C:\Users\Admin\AppData\Local\Temp\5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Amelne32.exeC:\Windows\system32\Amelne32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Afnagk32.exeC:\Windows\system32\Afnagk32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Bpfeppop.exeC:\Windows\system32\Bpfeppop.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Biojif32.exeC:\Windows\system32\Biojif32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Bnkbam32.exeC:\Windows\system32\Bnkbam32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Biafnecn.exeC:\Windows\system32\Biafnecn.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\Bbikgk32.exeC:\Windows\system32\Bbikgk32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\Bhfcpb32.exeC:\Windows\system32\Bhfcpb32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Bmclhi32.exeC:\Windows\system32\Bmclhi32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Bhhpeafc.exeC:\Windows\system32\Bhhpeafc.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Bmeimhdj.exeC:\Windows\system32\Bmeimhdj.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Cdoajb32.exeC:\Windows\system32\Cdoajb32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Cacacg32.exeC:\Windows\system32\Cacacg32.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 14015⤵
- Loads dropped DLL
- Program crash
PID:1428
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD552c55934a218a49ed38bf79e9666e7e5
SHA1991ad1764d0c4446c904419ba05b7b77251b6895
SHA2568fcf319423f8d79f10d6d856fbdfb10fbeecfcf28e5801037623e822cc3e5abc
SHA512ed5eaa8ef6f99ea4e1ee2b9767ce7c1854ced2958ab0baaa16a5763590a9bb7bfb66bef4984cfcea79650d2bafced1cb3fcc55d6d195261da3f6537f5786e35a
-
Filesize
97KB
MD5571e3626ff91ada341a2c9ef45a39382
SHA17242f25086e47d7ed187e5cfd067889dcd72349d
SHA2569bc82e4dc31a248c3b0a13543c562f79c2717b152f88e6e4fd14667a375ff984
SHA51236ca9086d95a4142f70cccf44c0bc8bff95be2b98400c65be91a9ce479fcb30feb1f4e0aff09460ec3a44f58c5b8705c99c748d4f6fd64d0fd3bf1bac7584da6
-
Filesize
97KB
MD5f8a07caa3bbb7774b55645dead15ab06
SHA1ef8aa8d721f932243a639219fd37fda59baace4e
SHA256a26a5967dc1a8dfdfe832ee215cb8aa6b4fbb0788e4a50f5435317854955f95b
SHA5128b7e657d54b7cfafd21491da3fc2add662d43b42d34ced5f68e9599881c78cfa1befe79c20b505f0e2a6672711ed865c2d1571c9831e9565f24eafd0a356c84a
-
Filesize
97KB
MD59ec6d8d5c2737f910d91c74abc13b931
SHA16a39d01d48af4eb1d1c4da5470a78fa75fe04396
SHA2561a326ba0aaa1a1efc92a5c709b5f87c7133e0481658682bd0f56d6e9e2006f2b
SHA51285a44c9ff55853f5d3aad80656c20084bb3a972f7a803d6114c6275222e77b9171207ee3f0761c8168f20df6831b47f88c7d296c27961b7081c3b432e4614cbb
-
Filesize
97KB
MD5f40206903b4ee9baa9d273d370b88ba3
SHA1c08247d14c102cd2cc89cba8d19c6654183921ba
SHA2560111162a2a977cf8b260078884812117f134af497f73bf361dc5cdbd9827111a
SHA5122759ce55d2ccf9572afda8d9e8dd9f5ef41ade738e46d76807f54cd94b24ec5b0477187903494b37b489011470071318fdfbab590344c83d94659060740aa868
-
Filesize
97KB
MD580cfcf195ba21e293a72d80ab7d4126c
SHA17d1e9113dc62fc66890c82d77391a5ab2239070c
SHA2569b27502e7db4758d6ac784254351984dbb88021277d2b86442720c07774c090c
SHA512b0332ea98649652252ae8efa7e27558af4ec7bf3c9fca662529e405803e3fecc71ce90c7594044c4a722786f9dc0adce2a55fa994b36ea1e0b3cb3dba636d572
-
Filesize
97KB
MD5af13cc603cb3919543f9e732fa3df5d6
SHA1f55622fbe243f6e30634f0ddef473a6b852e2c9d
SHA2562ecad7346e922c3373ce116d18f384ea40a874cf9fa2e3f280846a847d6e132e
SHA5125e0e44722989adbce8df1bcbe69d26b7b73d3b68ca3bba21040c704cabe8a0bd1a7a919a931aa93a639de0e5f892215a163e947395bbbfbace8e72e90da227a9
-
Filesize
97KB
MD5b7d1f3d574938f69640e8a0dea654610
SHA17718f529e6882e7bbaeb028e3da57008ac163f88
SHA2566b5a3ec08fa464ed74b66215ad073d1b70fe734e357ea2d0ba99454443e1cfcf
SHA512f12a31564ba11f2c21435ca083aa8b21ba858005d19c6455446d3041fe7098b91788ab260086c0d7ee18b3fb5734fc8b0f848fb5f5219e45b1bed3f8a8a4deaf
-
Filesize
97KB
MD506d9a3bce1098151d66878ed01657490
SHA12a8a514702fc6e25d15daa4837f82b6f89f434f2
SHA2568af88469620a87081ca781c1091fef7838626a7805e261e0b8e250b0ea30b6da
SHA512a04d53bbec2974ad4d31d92cabcf2e1cb84eabcf80152bf0ee463608bdac2cb96078751fae45f995258db1d213044c91406a420f29b40556b2ece3962471d78f
-
Filesize
97KB
MD5b03334750daf9a8169c0a9d6de5a919a
SHA14ec9c29134c909ab6c8a44bdbbc41445a7b880cd
SHA256081dd152a43aee7c67e70e47b5322079a65be18e8b14a777b9a7fbbd6c6ffac0
SHA512731efc1c4af293edd406b1dc464bef352bf3952de08cf0e3f84fe0cc323edbf9d1f59b92ebd2564d95e08b6f3d5901972301cb1daed94f29623e77cd82c93f8b
-
Filesize
97KB
MD5077af42d7f01bf32fbd6a21cd390b028
SHA13f745370b3c67b5730c8a25a1cf9e25633666e95
SHA256eaaa9e9194098f07b85d57965cffc1605fea0a068ce589fa25c87c631b834474
SHA5120c62a48d9fbdeb77e581979e94fec150132271dc8f1807680298076c889dbd547788ff454a36e89bc309c32167bf77c1c7b8c8d0bcf069f1dec328b28b153ca5
-
Filesize
97KB
MD55a2cba0a57ac84e5e2376059a50978b2
SHA1af6401d8b36b43c047112744065a9ee0a6a09d84
SHA2564f0f28d980897fede5110ec956c6850d0a3d5715db345c3ae0a7dac1987c82d6
SHA512f24a9bdfd65518c24e43da3b647f6469f0c8b7b5072680b4cebf7806efecb947885936f4d9886636070d17f31a6107e758b412b97e60e894521d05945f58013d
-
Filesize
97KB
MD52e52d029bb02456d5ec1368d7bb7cca7
SHA114eeb00131f46e5325e8a33656152faddb1dfaad
SHA2563f71a2fcbe34f6c399896a717c7131f7d6bd59deca96ee2af119650f603c7e1f
SHA512b64719e9261fc16d5aa6718473839e4d561e2f7d364aab1129b9d4530f6aeb4aee30b67fea0688ae8702adec576996d7561fa5ea453f9066d428804453c136b9