berbew | f956256c81872a72a41b4960ef75cf087c60451cb912d21815f3faadad0a0637

Analysis

max time kernel
84s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f956256c81872a72a41b4960ef75cf087c60451cb912d21815f3faadad0a0637N.exe
Size

649KB
MD5

b4b8ecbc4ae1c721970e106c3b5ca310
SHA1

b74768d471929be07a176074fec671ad8ded4b02
SHA256

f956256c81872a72a41b4960ef75cf087c60451cb912d21815f3faadad0a0637
SHA512

521ede270a31c83907d0fa34f5f13c40703a2fe1c6825f7a75461932f5c58ec09b7909cb3bc91cc3aae2a6b07aad82c37e8b829169e1475d2f0247162b149e6c
SSDEEP

12288:2pdXHaINIVIIVy2oIvPKiK13fS2hEYM9RIPa:SdXHfNIVIIVy2jU13fS2hEYM9RIPa

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f956256c81872a72a41b4960ef75cf087c60451cb912d21815f3faadad0a0637N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f956256c81872a72a41b4960ef75cf087c60451cb912d21815f3faadad0a0637N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 10 IoCs

pid	Process
1288	Bccmmf32.exe
2880	Bjmeiq32.exe
2776	Bmlael32.exe
2700	Ccmpce32.exe
2692	Cjonncab.exe
2576	Cjakccop.exe
2260	Cegoqlof.exe
2312	Cgfkmgnj.exe
2044	Dnpciaef.exe
764	Dpapaj32.exe

Loads dropped DLL 23 IoCs

pid	Process
2280	f956256c81872a72a41b4960ef75cf087c60451cb912d21815f3faadad0a0637N.exe
2280	f956256c81872a72a41b4960ef75cf087c60451cb912d21815f3faadad0a0637N.exe
1288	Bccmmf32.exe
1288	Bccmmf32.exe
2880	Bjmeiq32.exe
2880	Bjmeiq32.exe
2776	Bmlael32.exe
2776	Bmlael32.exe
2700	Ccmpce32.exe
2700	Ccmpce32.exe
2692	Cjonncab.exe
2692	Cjonncab.exe
2576	Cjakccop.exe
2576	Cjakccop.exe
2260	Cegoqlof.exe
2260	Cegoqlof.exe
2312	Cgfkmgnj.exe
2312	Cgfkmgnj.exe
2044	Dnpciaef.exe
2044	Dnpciaef.exe
1516	WerFault.exe
1516	WerFault.exe
1516	WerFault.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bngpjpqe.dll	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Oeopijom.dll	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Bjmeiq32.exe	Bccmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Bmlael32.exe	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Bmlael32.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Bifbbocj.dll	f956256c81872a72a41b4960ef75cf087c60451cb912d21815f3faadad0a0637N.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Cjonncab.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Bccmmf32.exe	f956256c81872a72a41b4960ef75cf087c60451cb912d21815f3faadad0a0637N.exe
File created	C:\Windows\SysWOW64\Bgmdailj.dll	Bccmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bmlael32.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bmlael32.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Bccmmf32.exe	f956256c81872a72a41b4960ef75cf087c60451cb912d21815f3faadad0a0637N.exe
File created	C:\Windows\SysWOW64\Bmlael32.exe	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Bjmeiq32.exe	Bccmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cgfkmgnj.exe

Program crash 1 IoCs

pid	pid_target	Process
1516	764	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f956256c81872a72a41b4960ef75cf087c60451cb912d21815f3faadad0a0637N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	f956256c81872a72a41b4960ef75cf087c60451cb912d21815f3faadad0a0637N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f956256c81872a72a41b4960ef75cf087c60451cb912d21815f3faadad0a0637N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll"	f956256c81872a72a41b4960ef75cf087c60451cb912d21815f3faadad0a0637N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f956256c81872a72a41b4960ef75cf087c60451cb912d21815f3faadad0a0637N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmdailj.dll"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f956256c81872a72a41b4960ef75cf087c60451cb912d21815f3faadad0a0637N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f956256c81872a72a41b4960ef75cf087c60451cb912d21815f3faadad0a0637N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll"	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Bmlael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 1288	2280	f956256c81872a72a41b4960ef75cf087c60451cb912d21815f3faadad0a0637N.exe	31
PID 2280 wrote to memory of 1288	2280	f956256c81872a72a41b4960ef75cf087c60451cb912d21815f3faadad0a0637N.exe	31
PID 2280 wrote to memory of 1288	2280	f956256c81872a72a41b4960ef75cf087c60451cb912d21815f3faadad0a0637N.exe	31
PID 2280 wrote to memory of 1288	2280	f956256c81872a72a41b4960ef75cf087c60451cb912d21815f3faadad0a0637N.exe	31
PID 1288 wrote to memory of 2880	1288	Bccmmf32.exe	32
PID 1288 wrote to memory of 2880	1288	Bccmmf32.exe	32
PID 1288 wrote to memory of 2880	1288	Bccmmf32.exe	32
PID 1288 wrote to memory of 2880	1288	Bccmmf32.exe	32
PID 2880 wrote to memory of 2776	2880	Bjmeiq32.exe	33
PID 2880 wrote to memory of 2776	2880	Bjmeiq32.exe	33
PID 2880 wrote to memory of 2776	2880	Bjmeiq32.exe	33
PID 2880 wrote to memory of 2776	2880	Bjmeiq32.exe	33
PID 2776 wrote to memory of 2700	2776	Bmlael32.exe	34
PID 2776 wrote to memory of 2700	2776	Bmlael32.exe	34
PID 2776 wrote to memory of 2700	2776	Bmlael32.exe	34
PID 2776 wrote to memory of 2700	2776	Bmlael32.exe	34
PID 2700 wrote to memory of 2692	2700	Ccmpce32.exe	35
PID 2700 wrote to memory of 2692	2700	Ccmpce32.exe	35
PID 2700 wrote to memory of 2692	2700	Ccmpce32.exe	35
PID 2700 wrote to memory of 2692	2700	Ccmpce32.exe	35
PID 2692 wrote to memory of 2576	2692	Cjonncab.exe	36
PID 2692 wrote to memory of 2576	2692	Cjonncab.exe	36
PID 2692 wrote to memory of 2576	2692	Cjonncab.exe	36
PID 2692 wrote to memory of 2576	2692	Cjonncab.exe	36
PID 2576 wrote to memory of 2260	2576	Cjakccop.exe	37
PID 2576 wrote to memory of 2260	2576	Cjakccop.exe	37
PID 2576 wrote to memory of 2260	2576	Cjakccop.exe	37
PID 2576 wrote to memory of 2260	2576	Cjakccop.exe	37
PID 2260 wrote to memory of 2312	2260	Cegoqlof.exe	38
PID 2260 wrote to memory of 2312	2260	Cegoqlof.exe	38
PID 2260 wrote to memory of 2312	2260	Cegoqlof.exe	38
PID 2260 wrote to memory of 2312	2260	Cegoqlof.exe	38
PID 2312 wrote to memory of 2044	2312	Cgfkmgnj.exe	39
PID 2312 wrote to memory of 2044	2312	Cgfkmgnj.exe	39
PID 2312 wrote to memory of 2044	2312	Cgfkmgnj.exe	39
PID 2312 wrote to memory of 2044	2312	Cgfkmgnj.exe	39
PID 2044 wrote to memory of 764	2044	Dnpciaef.exe	40
PID 2044 wrote to memory of 764	2044	Dnpciaef.exe	40
PID 2044 wrote to memory of 764	2044	Dnpciaef.exe	40
PID 2044 wrote to memory of 764	2044	Dnpciaef.exe	40
PID 764 wrote to memory of 1516	764	Dpapaj32.exe	41
PID 764 wrote to memory of 1516	764	Dpapaj32.exe	41
PID 764 wrote to memory of 1516	764	Dpapaj32.exe	41
PID 764 wrote to memory of 1516	764	Dpapaj32.exe	41

C:\Users\Admin\AppData\Local\Temp\f956256c81872a72a41b4960ef75cf087c60451cb912d21815f3faadad0a0637N.exe
"C:\Users\Admin\AppData\Local\Temp\f956256c81872a72a41b4960ef75cf087c60451cb912d21815f3faadad0a0637N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\Bccmmf32.exe
  C:\Windows\system32\Bccmmf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\Bjmeiq32.exe
    C:\Windows\system32\Bjmeiq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\SysWOW64\Bmlael32.exe
      C:\Windows\system32\Bmlael32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 144
        12⤵
        Loads dropped DLL
        Program crash
        
        PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
649KB

MD5
d854c1ea48e2f7ae4de418d3237e8909

SHA1
6f3454d1cad9fac405b09a217748abcdadd738f9

SHA256
b1b82e3f11501a95f6f1484edfa1df8eb6878fb383fc953e6284fdf41faec346

SHA512
7a2072b3a2aedb2784b56fefc0acc33fc186b9dc2b485bfec44d62d106b3941539df479bece6c414e13f709b183b988a5de1898d2e9b4f9c3565833752311745

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
649KB

MD5
4cac8611ae57f4bcfab766d719e5dfb0

SHA1
3eb1be7b250252d235a48f124eb658e6acb7211b

SHA256
036185a3d672c8aa7e7106edb0960435cb1a7b0ac83f7ca369115fbab64561ad

SHA512
4fd8b644b3bc63962cc754fa7cd4c1cb4188a5c78e4e04471cbbca085f0e2d73c10ea45afce510623114ce39246bbcebb5fc635dd6d77e8865f7c2a251ab376f

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
649KB

MD5
2cd525a13a1588de80d4daeee2c499b0

SHA1
0fe4840de57590cb4c7eb192ccf40bf8c1bd320d

SHA256
31dc19737bdaf03f3b3952aa79ca5a5aba055d14c7397ce82a04143cb843a54e

SHA512
8c6d592c7c8cad04be425ecbaaac273d7c367856bf6ba1a88a4a64f2d1cb12c14e3d49d4e070e9a8294df245328173e25cae5c4a7a246e06d9d8566ab92ea29e

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
649KB

MD5
2f823c2ca08759c56fd63d63ef15ff40

SHA1
689ef2dcd380ddfbe86cefe9b7068ffa5c8275f7

SHA256
4be7060872e4273d3a62e27eec22e3403668b5a56c5fcb339ff2520a6582f2bc

SHA512
3b1ca44aed67aaabb457b58759d6b1080259dd8c529133d44ebc8e5c00947cddcf926a208663ce01eb479bbb7e29b4fbd0cc1177e31dcd30ec3119c9a741aec3

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
649KB

MD5
316b63644682cd6dfa2a30b5adae93a4

SHA1
f3e6026b7fe3ba3bcd515fc05e2eeec065df6c2c

SHA256
25074a9bb1cc9e1efaf59665a274ae830ef237bc20aff262441dc3cfc5b890c8

SHA512
e5adfe2a6899acb0a22cd2a8899649c0377342d386911b0cb8d37ac26ffb38e911955ff274d16eae0c4282e81f69bea231d3547e18ba90016c100b0b0fa9dd88

Download Submit
\Windows\SysWOW64\Bccmmf32.exe

Filesize
649KB

MD5
77771c63fe419c6bdfd30f5f32c3716b

SHA1
fa9a621cb6f2e8f8a83d5c7dae570dfdfe40a6a9

SHA256
f398b22900dc65004562d006b2ffbe2fcb84042a9d6c8f3f767a149063ec71a0

SHA512
1bde587c92f16f87a0b4bc1082e1fd25fd63d36a0d535705eefce1a57f24a2df9724f51ca12be0b3ae5a83572960f55d07e5c36f445558999f4361796d618402

Download Submit
\Windows\SysWOW64\Bjmeiq32.exe

Filesize
649KB

MD5
93265803bab8364ab8e50286bf2e831b

SHA1
9c9b2618c42ccc6566acbfedb0fabd589dc34460

SHA256
f8bbedcbd65346e981a62f80bdb903e12827ccdec65429f124308e1271a20d60

SHA512
a337a5f328c2adad93095d3e38e92eb361de3a430245dbb6bcb901a063164e512a8d3c6c22317e85691ad3cfeae3b2f62b596cf33cb221483840b732c3d94c0d

Download Submit
\Windows\SysWOW64\Bmlael32.exe

Filesize
649KB

MD5
ca70f03500befcb6b5f32003cc55a621

SHA1
e96d323cf8c7c1262660449d982ddc4f947b8f0f

SHA256
968caa78a127c5bd1e561893611ff82d055e26982f9bad229f84d2f2e2009364

SHA512
32665a8067259c046d940cea7832464f535c9f69a7afc9718ef884ca0b498639a76a2308ba4e140a2c9a5c4169d40b5ea3e86b6c53d641552f844f620c4b2877

Download Submit
\Windows\SysWOW64\Cjonncab.exe

Filesize
649KB

MD5
d65ce7e948fc8d66c41f004b2dc4d2b7

SHA1
da47a9e13b1109e1cf88b3c1f0fb0ed85e87f6c1

SHA256
a2bb9050d33bc698a74a21a1573a3678c2435fcb7eeb81cb627ae5a6209917ce

SHA512
1ecfc2e69b71d1e5927e93f880a71c36bf7014df1ef26eb9cce7c933b9698598f234293f531437af1d1367b20344cf3224c89d98e9da654a963f50e04f9e9e4c

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
649KB

MD5
5ebac614cc8da394a8205ffab2be3dea

SHA1
12a333b94bc2eae8304a980950ec966ed8c9bd6d

SHA256
1b01042fb8e6e8a9819d2ba2d460d0b48b29d96056e160bbddd77d989b69d710

SHA512
00235588ca9bee7bcfbe4f50ae5c060698e1c2e2cb87f14bb59077c8fed0c317e918f209d2bb0ad45106772c4a3ce829aa4cfdd0cbcf97a1d479877cac6a8b6f

Download Submit
memory/764-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/764-132-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1288-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2044-119-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2044-144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2260-93-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2260-139-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2280-12-0x0000000000310000-0x000000000034E000-memory.dmp

Filesize
248KB

Download
memory/2280-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2280-148-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2280-11-0x0000000000310000-0x000000000034E000-memory.dmp

Filesize
248KB

Download
memory/2312-106-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2312-141-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2576-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2576-140-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2692-142-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2700-66-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2700-147-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2700-53-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2700-61-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2776-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2776-143-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2880-146-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2880-27-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads