Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:41
Static task
static1
Behavioral task
behavioral1
Sample
adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe
Resource
win10v2004-20241007-en
General
-
Target
adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe
-
Size
1.9MB
-
MD5
84c24d3d3092fb84662660790271af94
-
SHA1
b6b9945c52e2d927cff1c88fa3105a79d35f182c
-
SHA256
adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0
-
SHA512
e37c528a8621228526c5df22bbe72d8ae45d16907ddb63843df93be497f3e6299c02981ca0df681e271e1e27418bfbe8ebcacba77bbc0da16fa160b583ec675b
-
SSDEEP
24576:wotNIVyeNIVy2jUKaNIVyeNIVy2jUtc9uO2NIVyeNIVy2jUKaNIVyeNIVy2jUO:w/yj1yj3uOpyj1yjH
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs
Processes:
adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exeKfaalh32.exeIeibdnnp.exeJllqplnp.exeLibjncnc.exeJmkmjoec.exeLlpfjomf.exeKpgionie.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfaalh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieibdnnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jllqplnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Libjncnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jllqplnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmkmjoec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpfjomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpgionie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfaalh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libjncnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llpfjomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieibdnnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmkmjoec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgionie.exe -
Berbew family
-
Executes dropped EXE 8 IoCs
Processes:
Ieibdnnp.exeJllqplnp.exeJmkmjoec.exeKpgionie.exeKfaalh32.exeLibjncnc.exeLlpfjomf.exeLbjofi32.exepid process 2784 Ieibdnnp.exe 2680 Jllqplnp.exe 2636 Jmkmjoec.exe 2620 Kpgionie.exe 3048 Kfaalh32.exe 2336 Libjncnc.exe 2140 Llpfjomf.exe 668 Lbjofi32.exe -
Loads dropped DLL 21 IoCs
Processes:
adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exeIeibdnnp.exeJllqplnp.exeJmkmjoec.exeKpgionie.exeKfaalh32.exeLibjncnc.exeLlpfjomf.exeWerFault.exepid process 2656 adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe 2656 adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe 2784 Ieibdnnp.exe 2784 Ieibdnnp.exe 2680 Jllqplnp.exe 2680 Jllqplnp.exe 2636 Jmkmjoec.exe 2636 Jmkmjoec.exe 2620 Kpgionie.exe 2620 Kpgionie.exe 3048 Kfaalh32.exe 3048 Kfaalh32.exe 2336 Libjncnc.exe 2336 Libjncnc.exe 2140 Llpfjomf.exe 2140 Llpfjomf.exe 2264 WerFault.exe 2264 WerFault.exe 2264 WerFault.exe 2264 WerFault.exe 2264 WerFault.exe -
Drops file in System32 directory 24 IoCs
Processes:
adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exeIeibdnnp.exeJllqplnp.exeJmkmjoec.exeLibjncnc.exeKpgionie.exeKfaalh32.exeLlpfjomf.exedescription ioc process File created C:\Windows\SysWOW64\Ieibdnnp.exe adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe File opened for modification C:\Windows\SysWOW64\Ieibdnnp.exe adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe File created C:\Windows\SysWOW64\Fbbngc32.dll adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe File created C:\Windows\SysWOW64\Jllqplnp.exe Ieibdnnp.exe File created C:\Windows\SysWOW64\Dnhanebc.dll Ieibdnnp.exe File created C:\Windows\SysWOW64\Jmkmjoec.exe Jllqplnp.exe File opened for modification C:\Windows\SysWOW64\Kpgionie.exe Jmkmjoec.exe File created C:\Windows\SysWOW64\Bccjfi32.dll Libjncnc.exe File opened for modification C:\Windows\SysWOW64\Jmkmjoec.exe Jllqplnp.exe File created C:\Windows\SysWOW64\Hapbpm32.dll Jllqplnp.exe File created C:\Windows\SysWOW64\Kfaalh32.exe Kpgionie.exe File opened for modification C:\Windows\SysWOW64\Libjncnc.exe Kfaalh32.exe File opened for modification C:\Windows\SysWOW64\Lbjofi32.exe Llpfjomf.exe File created C:\Windows\SysWOW64\Jbdhhp32.dll Jmkmjoec.exe File created C:\Windows\SysWOW64\Phblkn32.dll Kpgionie.exe File created C:\Windows\SysWOW64\Ipbkjl32.dll Kfaalh32.exe File created C:\Windows\SysWOW64\Llpfjomf.exe Libjncnc.exe File created C:\Windows\SysWOW64\Lbjofi32.exe Llpfjomf.exe File created C:\Windows\SysWOW64\Ipafocdg.dll Llpfjomf.exe File opened for modification C:\Windows\SysWOW64\Jllqplnp.exe Ieibdnnp.exe File created C:\Windows\SysWOW64\Kpgionie.exe Jmkmjoec.exe File opened for modification C:\Windows\SysWOW64\Kfaalh32.exe Kpgionie.exe File created C:\Windows\SysWOW64\Libjncnc.exe Kfaalh32.exe File opened for modification C:\Windows\SysWOW64\Llpfjomf.exe Libjncnc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process 2264 668 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Jllqplnp.exeKpgionie.exeKfaalh32.exeLibjncnc.exeadfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exeIeibdnnp.exeJmkmjoec.exeLlpfjomf.exeLbjofi32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllqplnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgionie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfaalh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Libjncnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieibdnnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmkmjoec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpfjomf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjofi32.exe -
Modifies registry class 27 IoCs
Processes:
Ieibdnnp.exeJmkmjoec.exeadfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exeLlpfjomf.exeKpgionie.exeKfaalh32.exeLibjncnc.exeJllqplnp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieibdnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmkmjoec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll" Llpfjomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll" Jmkmjoec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpgionie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmkmjoec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfaalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhanebc.dll" Ieibdnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfaalh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Libjncnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llpfjomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llpfjomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbngc32.dll" adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jllqplnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccjfi32.dll" Libjncnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpgionie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phblkn32.dll" Kpgionie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieibdnnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jllqplnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hapbpm32.dll" Jllqplnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbkjl32.dll" Kfaalh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Libjncnc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exeIeibdnnp.exeJllqplnp.exeJmkmjoec.exeKpgionie.exeKfaalh32.exeLibjncnc.exeLlpfjomf.exeLbjofi32.exedescription pid process target process PID 2656 wrote to memory of 2784 2656 adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe Ieibdnnp.exe PID 2656 wrote to memory of 2784 2656 adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe Ieibdnnp.exe PID 2656 wrote to memory of 2784 2656 adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe Ieibdnnp.exe PID 2656 wrote to memory of 2784 2656 adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe Ieibdnnp.exe PID 2784 wrote to memory of 2680 2784 Ieibdnnp.exe Jllqplnp.exe PID 2784 wrote to memory of 2680 2784 Ieibdnnp.exe Jllqplnp.exe PID 2784 wrote to memory of 2680 2784 Ieibdnnp.exe Jllqplnp.exe PID 2784 wrote to memory of 2680 2784 Ieibdnnp.exe Jllqplnp.exe PID 2680 wrote to memory of 2636 2680 Jllqplnp.exe Jmkmjoec.exe PID 2680 wrote to memory of 2636 2680 Jllqplnp.exe Jmkmjoec.exe PID 2680 wrote to memory of 2636 2680 Jllqplnp.exe Jmkmjoec.exe PID 2680 wrote to memory of 2636 2680 Jllqplnp.exe Jmkmjoec.exe PID 2636 wrote to memory of 2620 2636 Jmkmjoec.exe Kpgionie.exe PID 2636 wrote to memory of 2620 2636 Jmkmjoec.exe Kpgionie.exe PID 2636 wrote to memory of 2620 2636 Jmkmjoec.exe Kpgionie.exe PID 2636 wrote to memory of 2620 2636 Jmkmjoec.exe Kpgionie.exe PID 2620 wrote to memory of 3048 2620 Kpgionie.exe Kfaalh32.exe PID 2620 wrote to memory of 3048 2620 Kpgionie.exe Kfaalh32.exe PID 2620 wrote to memory of 3048 2620 Kpgionie.exe Kfaalh32.exe PID 2620 wrote to memory of 3048 2620 Kpgionie.exe Kfaalh32.exe PID 3048 wrote to memory of 2336 3048 Kfaalh32.exe Libjncnc.exe PID 3048 wrote to memory of 2336 3048 Kfaalh32.exe Libjncnc.exe PID 3048 wrote to memory of 2336 3048 Kfaalh32.exe Libjncnc.exe PID 3048 wrote to memory of 2336 3048 Kfaalh32.exe Libjncnc.exe PID 2336 wrote to memory of 2140 2336 Libjncnc.exe Llpfjomf.exe PID 2336 wrote to memory of 2140 2336 Libjncnc.exe Llpfjomf.exe PID 2336 wrote to memory of 2140 2336 Libjncnc.exe Llpfjomf.exe PID 2336 wrote to memory of 2140 2336 Libjncnc.exe Llpfjomf.exe PID 2140 wrote to memory of 668 2140 Llpfjomf.exe Lbjofi32.exe PID 2140 wrote to memory of 668 2140 Llpfjomf.exe Lbjofi32.exe PID 2140 wrote to memory of 668 2140 Llpfjomf.exe Lbjofi32.exe PID 2140 wrote to memory of 668 2140 Llpfjomf.exe Lbjofi32.exe PID 668 wrote to memory of 2264 668 Lbjofi32.exe WerFault.exe PID 668 wrote to memory of 2264 668 Lbjofi32.exe WerFault.exe PID 668 wrote to memory of 2264 668 Lbjofi32.exe WerFault.exe PID 668 wrote to memory of 2264 668 Lbjofi32.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe"C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Ieibdnnp.exeC:\Windows\system32\Ieibdnnp.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Jllqplnp.exeC:\Windows\system32\Jllqplnp.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Jmkmjoec.exeC:\Windows\system32\Jmkmjoec.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Kpgionie.exeC:\Windows\system32\Kpgionie.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Kfaalh32.exeC:\Windows\system32\Kfaalh32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Libjncnc.exeC:\Windows\system32\Libjncnc.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Llpfjomf.exeC:\Windows\system32\Llpfjomf.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Lbjofi32.exeC:\Windows\system32\Lbjofi32.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 14010⤵
- Loads dropped DLL
- Program crash
PID:2264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD55e01beffe79a41e6f09b61ff5a457c5e
SHA135e12d29b3d45724fc28e2328d5381014fa418ca
SHA25672eeaba3d740d55ac0e8757f1f8148fb5fb4d5f232a8cb76d9045bea4151eff0
SHA51276d4d5c24913d22c2db04ace1b0ed2ec61a40a7b9fdf318861356193c21a40773f3c2f1a3089cc319e2d9267daa2894063abd4b071a75d2c27da671bdc56b609
-
Filesize
1.9MB
MD51ed78d9918ca66573fc2ccf1f7e5ae55
SHA1215dda545a91ae543987357b35a3712e30fcbbd4
SHA2569b6bf432f06d57afa0ecd0fa20ae85d68a4e70331402e52c896724d734b889e0
SHA51294c21014444c67e5aeba275b08a79650d8b48db8305031ec49c2040890ae580d45cf25383b1957672109008810ce97621cc6abea2f79dd1f882e9b6f39d36865
-
Filesize
1.9MB
MD53cba1a9c4d3477d040f9be21ffd34d87
SHA1fd0b0f9b1106be0ebf7b73d312d3a94b6f92d591
SHA2564dfe9c7653f4152fe35b413064263982256bdbeff2c35e9611dc7b91b4530699
SHA512f7ebd9072414854a0c31a2375ab608bd159d29486b36186fc4667f8236606f67c5f1671802eaf200c15ea2a496f2c6eda4afc0b55857814d721cb6dd7d482d27
-
Filesize
1.9MB
MD5c5a0708afd52606de17819712cb226be
SHA1a7745e68806a4029bb5af4a3afd2cf76fbc0680e
SHA25623835044709fcdc8a5d11f33f09f346ff313486210b050db58a6d65b45960d9c
SHA51228ac90e966c43a6a9e4ab0b269313fadbcf82580cfb75f059b9e205818c4ab91841b52525883295268413b6eab4b9fb99941864aa945f7f8244d27c0fb5bdde9
-
Filesize
1.9MB
MD5fb1e3f845273bfff7d42b73796001e00
SHA1ab03ced1617615a7430961026cf86202db5f0c17
SHA256969b7772a9c3fd934fd5e8a5b979aadf24c799dbfa654bbaabb18ebefc9ae1d5
SHA51278612b90c950ecf27dde63cb67bf4a67cccb51738ec020a3a8f2d32a64b9cce5d278f4447205dcd27e806a90669c83f0aacc804da737e8cdd213bd2056b07039
-
Filesize
1.9MB
MD5d95702d1e517f1c8de798fd1ffd22cbf
SHA1036fbd334f1e458c8acb0ca19d56ff9059141558
SHA2560459ce6434a731c0e572bc9aab8278bb9598104da24b0e2fbda9c100edfda72a
SHA512c5266108ff47336c84607dcab8b3c9f630800b1856283616dd4107b291a00c80d8b3d1176e8884807cafb243c2d8b9fabd77c179cc0b921e5b1fad327a456582
-
Filesize
1.9MB
MD5f0d0d0e7a8cc777177460d3a00dfb6e7
SHA1de30f649bf07cb844e8b17f7e455feb041b31a40
SHA256742deae66bc10ce8ad4e87435a6832f33a92d0a9e8bbd63dff57fe5ce60e630c
SHA51202104cf60857cd7a37d729bf776af5dd4f5734642a26ce51ed752507f15dd285abe6975edf1bf4d1a493375fcd816c9aea2322a6f2483f5dcf7e34621eab0144
-
Filesize
1.9MB
MD5a5a588c34a831e241ad5ec3e5715a712
SHA1999c3849929b1fc7b31d326b6479b59e98fd4250
SHA256a9d50af0bfe54f623aad4e58d349a46705e59c06cffe3d88066c74c1c57d631b
SHA512594af61ccc05414e24902934ba16918fd8235448c4f37250af9a329e74b7661187955c7d72cff72d22f9b4535162530462be4fe63168046ac8e023dd124958b9