Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10/11/2024, 15:46
Static task
static1
Behavioral task
behavioral1
Sample
cdb59d9dd3e571a2873a7ec86ec7d38a9fb1a3339da0f8dc2b07d508aa1d4ebaN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
cdb59d9dd3e571a2873a7ec86ec7d38a9fb1a3339da0f8dc2b07d508aa1d4ebaN.exe
Resource
win10v2004-20241007-en
General
-
Target
cdb59d9dd3e571a2873a7ec86ec7d38a9fb1a3339da0f8dc2b07d508aa1d4ebaN.exe
-
Size
576KB
-
MD5
6c33d755e3bf197c5e0c1ee93135e940
-
SHA1
8fee40c8bd579f199ee246f997b237d11c7531f4
-
SHA256
cdb59d9dd3e571a2873a7ec86ec7d38a9fb1a3339da0f8dc2b07d508aa1d4eba
-
SHA512
8b1d755a04ac8ec140aac102e137f8a20be750c45e66ed8cafb5fe2dcb33c407b98afca36e23d4c77cf5a1268f06305e6f840d4431127287e04b3f6eff2321ad
-
SSDEEP
12288:jMuaTO2rJ8GyXu1jGG1ws5iETdqvZNemWrsiLk6mqgSgRDO:jMuaa2riGyXsGG1ws5ipX6
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" cdb59d9dd3e571a2873a7ec86ec7d38a9fb1a3339da0f8dc2b07d508aa1d4ebaN.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqijljfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckmnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmlael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqijljfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbppnbhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmedlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cegoqlof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad cdb59d9dd3e571a2873a7ec86ec7d38a9fb1a3339da0f8dc2b07d508aa1d4ebaN.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmlael32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbppnbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cegoqlof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bffbdadk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bffbdadk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmedlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbdiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbdiia32.exe -
Berbew family
-
Executes dropped EXE 9 IoCs
pid Process 2208 Bmlael32.exe 2792 Bqijljfd.exe 2852 Bffbdadk.exe 1200 Cbppnbhm.exe 2560 Cmedlk32.exe 2616 Cbdiia32.exe 2976 Ckmnbg32.exe 2268 Cegoqlof.exe 2816 Dpapaj32.exe -
Loads dropped DLL 21 IoCs
pid Process 2112 cdb59d9dd3e571a2873a7ec86ec7d38a9fb1a3339da0f8dc2b07d508aa1d4ebaN.exe 2112 cdb59d9dd3e571a2873a7ec86ec7d38a9fb1a3339da0f8dc2b07d508aa1d4ebaN.exe 2208 Bmlael32.exe 2208 Bmlael32.exe 2792 Bqijljfd.exe 2792 Bqijljfd.exe 2852 Bffbdadk.exe 2852 Bffbdadk.exe 1200 Cbppnbhm.exe 1200 Cbppnbhm.exe 2560 Cmedlk32.exe 2560 Cmedlk32.exe 2616 Cbdiia32.exe 2616 Cbdiia32.exe 2976 Ckmnbg32.exe 2976 Ckmnbg32.exe 2268 Cegoqlof.exe 2268 Cegoqlof.exe 1832 WerFault.exe 1832 WerFault.exe 1832 WerFault.exe -
Drops file in System32 directory 29 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bffbdadk.exe Bqijljfd.exe File created C:\Windows\SysWOW64\Cbppnbhm.exe Bffbdadk.exe File opened for modification C:\Windows\SysWOW64\Cbppnbhm.exe Bffbdadk.exe File created C:\Windows\SysWOW64\Lmajfk32.dll Cbppnbhm.exe File created C:\Windows\SysWOW64\Fhgpia32.dll Cmedlk32.exe File created C:\Windows\SysWOW64\Ckmnbg32.exe Cbdiia32.exe File created C:\Windows\SysWOW64\Dgnenf32.dll Bmlael32.exe File created C:\Windows\SysWOW64\Cbdiia32.exe Cmedlk32.exe File opened for modification C:\Windows\SysWOW64\Ckmnbg32.exe Cbdiia32.exe File created C:\Windows\SysWOW64\Jhogdg32.dll Cbdiia32.exe File created C:\Windows\SysWOW64\Dpapaj32.exe Cegoqlof.exe File opened for modification C:\Windows\SysWOW64\Cmedlk32.exe Cbppnbhm.exe File opened for modification C:\Windows\SysWOW64\Bmlael32.exe cdb59d9dd3e571a2873a7ec86ec7d38a9fb1a3339da0f8dc2b07d508aa1d4ebaN.exe File created C:\Windows\SysWOW64\Bqijljfd.exe Bmlael32.exe File opened for modification C:\Windows\SysWOW64\Bffbdadk.exe Bqijljfd.exe File opened for modification C:\Windows\SysWOW64\ÿs.e¢e Dpapaj32.exe File opened for modification C:\Windows\SysWOW64\Cbdiia32.exe Cmedlk32.exe File created C:\Windows\SysWOW64\Cegoqlof.exe Ckmnbg32.exe File opened for modification C:\Windows\SysWOW64\Cegoqlof.exe Ckmnbg32.exe File opened for modification C:\Windows\SysWOW64\Dpapaj32.exe Cegoqlof.exe File created C:\Windows\SysWOW64\Pdkefp32.dll Cegoqlof.exe File opened for modification C:\Windows\SysWOW64\Bqijljfd.exe Bmlael32.exe File created C:\Windows\SysWOW64\Bmlael32.exe cdb59d9dd3e571a2873a7ec86ec7d38a9fb1a3339da0f8dc2b07d508aa1d4ebaN.exe File created C:\Windows\SysWOW64\Bngpjpqe.dll cdb59d9dd3e571a2873a7ec86ec7d38a9fb1a3339da0f8dc2b07d508aa1d4ebaN.exe File created C:\Windows\SysWOW64\Nloone32.dll Ckmnbg32.exe File created C:\Windows\SysWOW64\ÿs.e¢e Dpapaj32.exe File created C:\Windows\SysWOW64\Alecllfh.dll Bqijljfd.exe File created C:\Windows\SysWOW64\Hmdeje32.dll Bffbdadk.exe File created C:\Windows\SysWOW64\Cmedlk32.exe Cbppnbhm.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1832 2816 WerFault.exe 39 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cdb59d9dd3e571a2873a7ec86ec7d38a9fb1a3339da0f8dc2b07d508aa1d4ebaN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqijljfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmedlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmnbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegoqlof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpapaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmlael32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bffbdadk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbppnbhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdiia32.exe -
Modifies registry class 30 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" cdb59d9dd3e571a2873a7ec86ec7d38a9fb1a3339da0f8dc2b07d508aa1d4ebaN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmlael32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bffbdadk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll" Bmlael32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID cdb59d9dd3e571a2873a7ec86ec7d38a9fb1a3339da0f8dc2b07d508aa1d4ebaN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmlael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bqijljfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmedlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll" Cmedlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" Cegoqlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cegoqlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll" cdb59d9dd3e571a2873a7ec86ec7d38a9fb1a3339da0f8dc2b07d508aa1d4ebaN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bqijljfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdeje32.dll" Bffbdadk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll" Cbdiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckmnbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cegoqlof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 cdb59d9dd3e571a2873a7ec86ec7d38a9fb1a3339da0f8dc2b07d508aa1d4ebaN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmedlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckmnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll" Ckmnbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} cdb59d9dd3e571a2873a7ec86ec7d38a9fb1a3339da0f8dc2b07d508aa1d4ebaN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bffbdadk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbppnbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbdiia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node cdb59d9dd3e571a2873a7ec86ec7d38a9fb1a3339da0f8dc2b07d508aa1d4ebaN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbppnbhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbdiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll" Bqijljfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll" Cbppnbhm.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2208 2112 cdb59d9dd3e571a2873a7ec86ec7d38a9fb1a3339da0f8dc2b07d508aa1d4ebaN.exe 31 PID 2112 wrote to memory of 2208 2112 cdb59d9dd3e571a2873a7ec86ec7d38a9fb1a3339da0f8dc2b07d508aa1d4ebaN.exe 31 PID 2112 wrote to memory of 2208 2112 cdb59d9dd3e571a2873a7ec86ec7d38a9fb1a3339da0f8dc2b07d508aa1d4ebaN.exe 31 PID 2112 wrote to memory of 2208 2112 cdb59d9dd3e571a2873a7ec86ec7d38a9fb1a3339da0f8dc2b07d508aa1d4ebaN.exe 31 PID 2208 wrote to memory of 2792 2208 Bmlael32.exe 32 PID 2208 wrote to memory of 2792 2208 Bmlael32.exe 32 PID 2208 wrote to memory of 2792 2208 Bmlael32.exe 32 PID 2208 wrote to memory of 2792 2208 Bmlael32.exe 32 PID 2792 wrote to memory of 2852 2792 Bqijljfd.exe 33 PID 2792 wrote to memory of 2852 2792 Bqijljfd.exe 33 PID 2792 wrote to memory of 2852 2792 Bqijljfd.exe 33 PID 2792 wrote to memory of 2852 2792 Bqijljfd.exe 33 PID 2852 wrote to memory of 1200 2852 Bffbdadk.exe 34 PID 2852 wrote to memory of 1200 2852 Bffbdadk.exe 34 PID 2852 wrote to memory of 1200 2852 Bffbdadk.exe 34 PID 2852 wrote to memory of 1200 2852 Bffbdadk.exe 34 PID 1200 wrote to memory of 2560 1200 Cbppnbhm.exe 35 PID 1200 wrote to memory of 2560 1200 Cbppnbhm.exe 35 PID 1200 wrote to memory of 2560 1200 Cbppnbhm.exe 35 PID 1200 wrote to memory of 2560 1200 Cbppnbhm.exe 35 PID 2560 wrote to memory of 2616 2560 Cmedlk32.exe 36 PID 2560 wrote to memory of 2616 2560 Cmedlk32.exe 36 PID 2560 wrote to memory of 2616 2560 Cmedlk32.exe 36 PID 2560 wrote to memory of 2616 2560 Cmedlk32.exe 36 PID 2616 wrote to memory of 2976 2616 Cbdiia32.exe 37 PID 2616 wrote to memory of 2976 2616 Cbdiia32.exe 37 PID 2616 wrote to memory of 2976 2616 Cbdiia32.exe 37 PID 2616 wrote to memory of 2976 2616 Cbdiia32.exe 37 PID 2976 wrote to memory of 2268 2976 Ckmnbg32.exe 38 PID 2976 wrote to memory of 2268 2976 Ckmnbg32.exe 38 PID 2976 wrote to memory of 2268 2976 Ckmnbg32.exe 38 PID 2976 wrote to memory of 2268 2976 Ckmnbg32.exe 38 PID 2268 wrote to memory of 2816 2268 Cegoqlof.exe 39 PID 2268 wrote to memory of 2816 2268 Cegoqlof.exe 39 PID 2268 wrote to memory of 2816 2268 Cegoqlof.exe 39 PID 2268 wrote to memory of 2816 2268 Cegoqlof.exe 39 PID 2816 wrote to memory of 1832 2816 Dpapaj32.exe 40 PID 2816 wrote to memory of 1832 2816 Dpapaj32.exe 40 PID 2816 wrote to memory of 1832 2816 Dpapaj32.exe 40 PID 2816 wrote to memory of 1832 2816 Dpapaj32.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdb59d9dd3e571a2873a7ec86ec7d38a9fb1a3339da0f8dc2b07d508aa1d4ebaN.exe"C:\Users\Admin\AppData\Local\Temp\cdb59d9dd3e571a2873a7ec86ec7d38a9fb1a3339da0f8dc2b07d508aa1d4ebaN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Bmlael32.exeC:\Windows\system32\Bmlael32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Bqijljfd.exeC:\Windows\system32\Bqijljfd.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Bffbdadk.exeC:\Windows\system32\Bffbdadk.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Cbppnbhm.exeC:\Windows\system32\Cbppnbhm.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Cmedlk32.exeC:\Windows\system32\Cmedlk32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Cbdiia32.exeC:\Windows\system32\Cbdiia32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Ckmnbg32.exeC:\Windows\system32\Ckmnbg32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Cegoqlof.exeC:\Windows\system32\Cegoqlof.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Dpapaj32.exeC:\Windows\system32\Dpapaj32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 14411⤵
- Loads dropped DLL
- Program crash
PID:1832
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
576KB
MD5fdc69c2a43a82b3faba06a61b6f4dff7
SHA19bcad03740d3b562379ad92940a8f840c6b237bf
SHA256412aabf8388739191331d7ac285310d263fca2a42b3e84c161fe04ccce929c9d
SHA512c0e16f23dbe68322afecd4b08339eba728d2c1f3f74ab569ee2d680b28170c7c85e34a497797fb561b67545a6feede3b735f08c83657b68fd7f2fdef47c076df
-
Filesize
576KB
MD506fdb5c2f44194a8728ba322ddd64007
SHA16802616266d1c6285eea2bc60429ed0ec9bf00c3
SHA256863413cca5e1896dc5f92457274cda575636721f10cfe11bc88c763f86b69e75
SHA512d9b35638117e4e0a4450a425454aca0a9fa792bd00500a65bed8708745d27e29af3b1e725256d1f1c566aed4868414a1dfded18615732ed0a421d2be42affca6
-
Filesize
576KB
MD57d729304d29c6117a9e48961d770d166
SHA1454a88d944e8892a574d8463a81852adfcb27457
SHA2563959ee6a973c5a4e08800175f84659eda97cffabd7114a5db20d4b4386dad005
SHA512fee5d7be7a9f221c13bbba44959fd1e69043ee11c6a90d4076a7701f3d99c9aef5392c4787c8b64fa0271e5107cf4191a038f53714fca46fb786294a38c43290
-
Filesize
7KB
MD5d9ddde3d1badd1a466e5bb032a662fb5
SHA16e27b4c46e280601b2c7f0a568b627a212d4cf82
SHA256d4ceeef82bbefd9b8f891f564552aa6cb488adeff2840bf02f4b81c353a3e7d0
SHA5125f87b5319f81bb11a46b24bc48e012b76418bf1673bfa5e851e2fec77176903176edb8b4bca5c68c28f98878ac3ff2441b1b7d75e6782bea0a2dfb7d588c19bc
-
Filesize
576KB
MD57dc719d51a6d49712d04a170e6c4bbb8
SHA1aa6e231500d877dd4c48db90e114d27eea3bd0a4
SHA25683362171763869a2a2b95a1c9bfbd59607957e4017e5c9bdf0ff87f08cc0c9c8
SHA512183a3829478d958ab04c2af812e5e4795a0e69ded73f85a679b6b039ffe19d69338a9446771fbf576845bb65cee3d8712fd562937d22aa7374b41a22f434d717
-
Filesize
576KB
MD5fd06e931512d9ac654fdc8101ab2dadf
SHA180ba2ba49b0586ebfce2707f9d605cef99d23d95
SHA2569ef6a3a4e1515be61bd69e55156d1cb7670a5f2d9f0cac72d3c06dc4ef2413db
SHA512e7fd3680a19cf2eeedfdac11afb9d236607a98204604aba563ddee1a0d59d22497bfca4e3de3ba50ed9daa78639dce96e54fe38877b4ab4589fb5eb83cdbef4c
-
Filesize
576KB
MD5529a470250c9e55d157e96bbb6065a16
SHA18cb47d98da8b2aab9843f5b7ee38a3e334e5532a
SHA2563983bd51a48cb88d7130404f0cfc65a2b32db9d415a4809891e048a1507bce3c
SHA5122101acb33d12f424b3559c92e3fcafa13a34c23fdfb31641183bf20f48bbdc3581a95563148771cc0395e610b1f9394aa4f5e40410c768df46a73bb7ad9f3634
-
Filesize
576KB
MD5d43085524f8eebfb97414dd0393e61fb
SHA1078e65e0a5892fa33aa0a6fbb25d1bce445f2ac3
SHA2565043a94d8e4133a07e78280b52abe23608588008de3c9eee6f16d9e51f5c6bee
SHA512c6fed8c8fd56af2e07c071189b8b3abb4e2b87224664e0b3179a87ab0049937d35c73450b3c680cae2857cfe570132236d684c0515087ee730a716f0ab0b8a99
-
Filesize
576KB
MD5b2222d9f2aba77b26577d75e36909930
SHA1cff56d1a1c6e664c0e4e3cfe9e3d93d0c91f7c00
SHA256d8d292b6ef31395256841af095fe28f907da6646b00b5808dc5b929681bf7cc5
SHA51230f31db9e5f7877dc2cd5961be6eb8f95438d98b670a0ff748d292b57c3f9bf9e8f9145c3355ee39a07d57585c9fe8be216157bcf29d7a191e1855608cbe7898
-
Filesize
576KB
MD52e7f1a1cd51e4e4da42ddbaa6a4e34b1
SHA18b9d1ade7b4cd8a4d35505d9a4cfcd9db7a2469b
SHA256a19056d89f07bbe9c79ae23561e29fa8d40c52e5a434449d7221db7ca3968a76
SHA51257cdeea5da553900e65c2e6252b96664fae41c13cd6e6c9d6b5dbf3575bb57348d470fde98957c1eb2c0022d60d1800baa8228f6fd940f6a8a98bc3631bccf40