berbew | 283a7410a5b8f3fc4e2feff86829e6fc88437fb5d2034f86f1634142c6f6b083

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

283a7410a5b8f3fc4e2feff86829e6fc88437fb5d2034f86f1634142c6f6b083N.exe
Size

454KB
MD5

d00a121a72689b8cda01f85c541f7780
SHA1

46447f8ee723f618086b658be32ffb65e0c9adbd
SHA256

283a7410a5b8f3fc4e2feff86829e6fc88437fb5d2034f86f1634142c6f6b083
SHA512

fb4d6d2f2e7f89528c74b48d463280b42e2442f27c923febb2e15fd83973b7e83d0269abf66b747ba7d6f0c16d4cebf9b7afdf39aa33364c7d428d61d984d471
SSDEEP

6144:ENi0rRP8oduQ/a8SeNpgdyuH1lZfRo0V8JcgE+ezpg1xrloBH:E1dP8oduv87g7/VycgE81lS

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amhopfof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nejdjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olalpdbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Penjdien.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgdpgqgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amhopfof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aioodg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	283a7410a5b8f3fc4e2feff86829e6fc88437fb5d2034f86f1634142c6f6b083N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	283a7410a5b8f3fc4e2feff86829e6fc88437fb5d2034f86f1634142c6f6b083N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Plcied32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Naionh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nejdjf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgdpgqgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olalpdbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plcied32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Penjdien.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aioodg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Naionh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdnloph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocdnloph.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 10 IoCs

pid	Process
928	Naionh32.exe
276	Nejdjf32.exe
2760	Ocdnloph.exe
2736	Olalpdbc.exe
2792	Plcied32.exe
2652	Penjdien.exe
2336	Pgdpgqgg.exe
2032	Amhopfof.exe
2980	Aioodg32.exe
236	Bmenijcd.exe

Loads dropped DLL 24 IoCs

pid	Process
2220	283a7410a5b8f3fc4e2feff86829e6fc88437fb5d2034f86f1634142c6f6b083N.exe
2220	283a7410a5b8f3fc4e2feff86829e6fc88437fb5d2034f86f1634142c6f6b083N.exe
928	Naionh32.exe
928	Naionh32.exe
276	Nejdjf32.exe
276	Nejdjf32.exe
2760	Ocdnloph.exe
2760	Ocdnloph.exe
2736	Olalpdbc.exe
2736	Olalpdbc.exe
2792	Plcied32.exe
2792	Plcied32.exe
2652	Penjdien.exe
2652	Penjdien.exe
2336	Pgdpgqgg.exe
2336	Pgdpgqgg.exe
2032	Amhopfof.exe
2032	Amhopfof.exe
2980	Aioodg32.exe
2980	Aioodg32.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pidoei32.dll	Penjdien.exe
File created	C:\Windows\SysWOW64\Mikelp32.dll	Pgdpgqgg.exe
File opened for modification	C:\Windows\SysWOW64\Penjdien.exe	Plcied32.exe
File opened for modification	C:\Windows\SysWOW64\Pgdpgqgg.exe	Penjdien.exe
File created	C:\Windows\SysWOW64\Apfamf32.dll	Amhopfof.exe
File opened for modification	C:\Windows\SysWOW64\Bmenijcd.exe	Aioodg32.exe
File created	C:\Windows\SysWOW64\Ocdnloph.exe	Nejdjf32.exe
File created	C:\Windows\SysWOW64\Qqbhmi32.dll	Olalpdbc.exe
File created	C:\Windows\SysWOW64\Amhopfof.exe	Pgdpgqgg.exe
File created	C:\Windows\SysWOW64\Diflambo.dll	Aioodg32.exe
File opened for modification	C:\Windows\SysWOW64\Plcied32.exe	Olalpdbc.exe
File created	C:\Windows\SysWOW64\Penjdien.exe	Plcied32.exe
File created	C:\Windows\SysWOW64\Pgdpgqgg.exe	Penjdien.exe
File created	C:\Windows\SysWOW64\Afhggc32.dll	Naionh32.exe
File created	C:\Windows\SysWOW64\Lkdjamga.dll	Ocdnloph.exe
File opened for modification	C:\Windows\SysWOW64\Aioodg32.exe	Amhopfof.exe
File created	C:\Windows\SysWOW64\Bmenijcd.exe	Aioodg32.exe
File created	C:\Windows\SysWOW64\Doeljaja.dll	Nejdjf32.exe
File opened for modification	C:\Windows\SysWOW64\Nejdjf32.exe	Naionh32.exe
File opened for modification	C:\Windows\SysWOW64\Olalpdbc.exe	Ocdnloph.exe
File created	C:\Windows\SysWOW64\Eecpggap.dll	Plcied32.exe
File created	C:\Windows\SysWOW64\Nejdjf32.exe	Naionh32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdnloph.exe	Nejdjf32.exe
File created	C:\Windows\SysWOW64\Olalpdbc.exe	Ocdnloph.exe
File opened for modification	C:\Windows\SysWOW64\Naionh32.exe	283a7410a5b8f3fc4e2feff86829e6fc88437fb5d2034f86f1634142c6f6b083N.exe
File created	C:\Windows\SysWOW64\Pmjoacao.dll	283a7410a5b8f3fc4e2feff86829e6fc88437fb5d2034f86f1634142c6f6b083N.exe
File created	C:\Windows\SysWOW64\Plcied32.exe	Olalpdbc.exe
File opened for modification	C:\Windows\SysWOW64\Amhopfof.exe	Pgdpgqgg.exe
File created	C:\Windows\SysWOW64\Aioodg32.exe	Amhopfof.exe
File created	C:\Windows\SysWOW64\Naionh32.exe	283a7410a5b8f3fc4e2feff86829e6fc88437fb5d2034f86f1634142c6f6b083N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1996	236	WerFault.exe	38

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	283a7410a5b8f3fc4e2feff86829e6fc88437fb5d2034f86f1634142c6f6b083N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Naionh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdnloph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plcied32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhopfof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmenijcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nejdjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olalpdbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Penjdien.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgdpgqgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aioodg32.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nejdjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pidoei32.dll"	Penjdien.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Penjdien.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nejdjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doeljaja.dll"	Nejdjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olalpdbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Penjdien.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	283a7410a5b8f3fc4e2feff86829e6fc88437fb5d2034f86f1634142c6f6b083N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mikelp32.dll"	Pgdpgqgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aioodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	283a7410a5b8f3fc4e2feff86829e6fc88437fb5d2034f86f1634142c6f6b083N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Naionh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocdnloph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqbhmi32.dll"	Olalpdbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	283a7410a5b8f3fc4e2feff86829e6fc88437fb5d2034f86f1634142c6f6b083N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afhggc32.dll"	Naionh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Plcied32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmjoacao.dll"	283a7410a5b8f3fc4e2feff86829e6fc88437fb5d2034f86f1634142c6f6b083N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Naionh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diflambo.dll"	Aioodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkdjamga.dll"	Ocdnloph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecpggap.dll"	Plcied32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pgdpgqgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amhopfof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apfamf32.dll"	Amhopfof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aioodg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	283a7410a5b8f3fc4e2feff86829e6fc88437fb5d2034f86f1634142c6f6b083N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	283a7410a5b8f3fc4e2feff86829e6fc88437fb5d2034f86f1634142c6f6b083N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocdnloph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Olalpdbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Plcied32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pgdpgqgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amhopfof.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 928	2220	283a7410a5b8f3fc4e2feff86829e6fc88437fb5d2034f86f1634142c6f6b083N.exe	29
PID 2220 wrote to memory of 928	2220	283a7410a5b8f3fc4e2feff86829e6fc88437fb5d2034f86f1634142c6f6b083N.exe	29
PID 2220 wrote to memory of 928	2220	283a7410a5b8f3fc4e2feff86829e6fc88437fb5d2034f86f1634142c6f6b083N.exe	29
PID 2220 wrote to memory of 928	2220	283a7410a5b8f3fc4e2feff86829e6fc88437fb5d2034f86f1634142c6f6b083N.exe	29
PID 928 wrote to memory of 276	928	Naionh32.exe	30
PID 928 wrote to memory of 276	928	Naionh32.exe	30
PID 928 wrote to memory of 276	928	Naionh32.exe	30
PID 928 wrote to memory of 276	928	Naionh32.exe	30
PID 276 wrote to memory of 2760	276	Nejdjf32.exe	31
PID 276 wrote to memory of 2760	276	Nejdjf32.exe	31
PID 276 wrote to memory of 2760	276	Nejdjf32.exe	31
PID 276 wrote to memory of 2760	276	Nejdjf32.exe	31
PID 2760 wrote to memory of 2736	2760	Ocdnloph.exe	32
PID 2760 wrote to memory of 2736	2760	Ocdnloph.exe	32
PID 2760 wrote to memory of 2736	2760	Ocdnloph.exe	32
PID 2760 wrote to memory of 2736	2760	Ocdnloph.exe	32
PID 2736 wrote to memory of 2792	2736	Olalpdbc.exe	33
PID 2736 wrote to memory of 2792	2736	Olalpdbc.exe	33
PID 2736 wrote to memory of 2792	2736	Olalpdbc.exe	33
PID 2736 wrote to memory of 2792	2736	Olalpdbc.exe	33
PID 2792 wrote to memory of 2652	2792	Plcied32.exe	34
PID 2792 wrote to memory of 2652	2792	Plcied32.exe	34
PID 2792 wrote to memory of 2652	2792	Plcied32.exe	34
PID 2792 wrote to memory of 2652	2792	Plcied32.exe	34
PID 2652 wrote to memory of 2336	2652	Penjdien.exe	35
PID 2652 wrote to memory of 2336	2652	Penjdien.exe	35
PID 2652 wrote to memory of 2336	2652	Penjdien.exe	35
PID 2652 wrote to memory of 2336	2652	Penjdien.exe	35
PID 2336 wrote to memory of 2032	2336	Pgdpgqgg.exe	36
PID 2336 wrote to memory of 2032	2336	Pgdpgqgg.exe	36
PID 2336 wrote to memory of 2032	2336	Pgdpgqgg.exe	36
PID 2336 wrote to memory of 2032	2336	Pgdpgqgg.exe	36
PID 2032 wrote to memory of 2980	2032	Amhopfof.exe	37
PID 2032 wrote to memory of 2980	2032	Amhopfof.exe	37
PID 2032 wrote to memory of 2980	2032	Amhopfof.exe	37
PID 2032 wrote to memory of 2980	2032	Amhopfof.exe	37
PID 2980 wrote to memory of 236	2980	Aioodg32.exe	38
PID 2980 wrote to memory of 236	2980	Aioodg32.exe	38
PID 2980 wrote to memory of 236	2980	Aioodg32.exe	38
PID 2980 wrote to memory of 236	2980	Aioodg32.exe	38
PID 236 wrote to memory of 1996	236	Bmenijcd.exe	39
PID 236 wrote to memory of 1996	236	Bmenijcd.exe	39
PID 236 wrote to memory of 1996	236	Bmenijcd.exe	39
PID 236 wrote to memory of 1996	236	Bmenijcd.exe	39

C:\Users\Admin\AppData\Local\Temp\283a7410a5b8f3fc4e2feff86829e6fc88437fb5d2034f86f1634142c6f6b083N.exe
"C:\Users\Admin\AppData\Local\Temp\283a7410a5b8f3fc4e2feff86829e6fc88437fb5d2034f86f1634142c6f6b083N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\Naionh32.exe
  C:\Windows\system32\Naionh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\SysWOW64\Nejdjf32.exe
    C:\Windows\system32\Nejdjf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:276
  - - C:\Windows\SysWOW64\Ocdnloph.exe
      C:\Windows\system32\Ocdnloph.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SysWOW64\Olalpdbc.exe
        
        C:\Windows\system32\Olalpdbc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\SysWOW64\Plcied32.exe
        
        C:\Windows\system32\Plcied32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Penjdien.exe
        
        C:\Windows\system32\Penjdien.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Pgdpgqgg.exe
        
        C:\Windows\system32\Pgdpgqgg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Amhopfof.exe
        
        C:\Windows\system32\Amhopfof.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Aioodg32.exe
        
        C:\Windows\system32\Aioodg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Bmenijcd.exe
        
        C:\Windows\system32\Bmenijcd.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 236 -s 140
        12⤵
        Loads dropped DLL
        Program crash
        
        PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amhopfof.exe

Filesize
454KB

MD5
1ad864494f5ab1a13d65a1c95606fd5d

SHA1
d99dbea1bbfe88519b26533d966f026482e47b1b

SHA256
d9123441b53491215ee4e619c45361e8d48b852e05374a411722d5ab47bc42c8

SHA512
20e6416c225e6cb3eeabfe576102792fc783c91780d19373dd66781f1fc218763e10fa12984482461d97b638d8ef0ba7b27f8adacfad5760cabec9f6e63600a8

Download Submit
C:\Windows\SysWOW64\Pgdpgqgg.exe

Filesize
454KB

MD5
864d2a1ad5503dd3077365aa43199fbf

SHA1
68a6800385c9f3a0acb72dab79620b158949058f

SHA256
ac1bb19b334d07bb11123e2171fd7ff6cec91cbb07b80f5ff041c7f19cef654a

SHA512
86cd6668d175778ae1f1c71254d699a574e285b5ccc72dc3d9a32df539a2c2f2eb047f55246cd54b528160d38707c7396145db8dd79cd4310de89250f84ddf3d

Download Submit
C:\Windows\SysWOW64\Qqbhmi32.dll

Filesize
7KB

MD5
c5233ef421ef29d7f487028861631b7d

SHA1
5674c27d24cbed2d2555248715c5cd59eaefebde

SHA256
7ea78a2258153f87749a18e6dad6b9dad032d9400be153a9717051349989dc77

SHA512
a5f5c06eb88c6168d0714e2bfe066078afa3b15cc4444980451f1873e54deb3ea0acef18299e1546d51268a33ec5f33018f8c2d3de4691ae0032ca0e459f985c

Download Submit
\Windows\SysWOW64\Aioodg32.exe

Filesize
454KB

MD5
05dff13589b16fa0e4c02735c796cf70

SHA1
14ceb566ad20f6c4634cbab38db529c09eaa942e

SHA256
8d75270a0b77c59df9fe6bcc105c1182e6305b97fdee8fb449d5e0eafe78d6d6

SHA512
e54dea5d2347f7134db0972c675699334630c68a9c260a8451b76827f912b0732ce3e930d2a5e76183a79e7cc2237ccbeeeb102b1a3a7597e459f18938b91622

Download Submit
\Windows\SysWOW64\Bmenijcd.exe

Filesize
454KB

MD5
7fb78e8cfc7e224173725c0243940f0f

SHA1
24439c1d191964bbe6fbff4afc2d5c6b5bba0a51

SHA256
98c37638fdfa8699f8cbe8136c233527f2de3991019a983ff7ab64c6494a0b5d

SHA512
dc99d6cae56f14e28fb1e6c75bb7f921dafc370fa987dae00ab88712e5e9669d14cea3673656fe9fe3197f9da126ffc181c7b9ddf40fba092c0c0d1b80477771

Download Submit
\Windows\SysWOW64\Naionh32.exe

Filesize
454KB

MD5
a95b341da8627f097fe86dde89d318a1

SHA1
0285f575f5e7011d4c9f51aa297672bae3503c51

SHA256
bb53ab617a3c0241bb44f7ef25cb19b6e1d67b9c187cc3dc9abb5b492852d61e

SHA512
5884f91e610e61d84062c35e4775ae1e660b3494a5ebf6d4fd7ec7b5f92d267c45ca4554b048383fb764e257d35963bee66a5072a11c93621c0d1ad6e2fdb35e

Download Submit
\Windows\SysWOW64\Nejdjf32.exe

Filesize
454KB

MD5
c85fb030efc0f69e360494cf9e6cba30

SHA1
11172375f1717fe3f35bd4133d66ff02cd7c1b53

SHA256
04765d6db38e386a4ba57480a922e5df4513014ad08afee1beb5155e29add5ca

SHA512
ceee51e425c7a4995801f3ae3a2a74989de119e4fef1e9b2e8647120e7dffaf1cf11bd7ad8c074355e61d21c019c77b85f7f2f62122fa9146f30df1e27db4d8c

Download Submit
\Windows\SysWOW64\Ocdnloph.exe

Filesize
454KB

MD5
b049f4b4c7e10c6a8bbefe259b0283cf

SHA1
a25ce50b3d2921a3fa54c6cf8faaf4ba60372a1d

SHA256
e1a0bf08da88f47687fed24cd8004571e190e4ae45cbb750716c1347be34be4f

SHA512
e7fafb90bbd6e42646239a2dd7e780052b93b6386d897673d5aa93e268fcd559c2b78708d89be6d0cc3153bc98575cd11a8019d51bd3e2c601158b7da4b44f24

Download Submit
\Windows\SysWOW64\Olalpdbc.exe

Filesize
454KB

MD5
c26286dc4e563b2983a7eb81c2c72b63

SHA1
3a0c00b013c0ad626999fec4b58a267f91cb4b37

SHA256
910d8d0d0aa435c1a32f8c85bc7afa3a2883c5fe5ec7fbcd3a85484bc8bef15e

SHA512
8ad9d2522186a7046399a11c7eae27a129f249882d61a06fa8df3c2a8786ba97c61bb8d92bb399db708e2068754676c889632a06688d5233ff0d0b1bda6925c9

Download Submit
\Windows\SysWOW64\Penjdien.exe

Filesize
454KB

MD5
b4b6ced4e3063f3a5cb08387433f7d60

SHA1
304d91b8bda393558b43c38e80db95f29b9648a7

SHA256
7cd83836bbaf99cca430dc25c4dd9956b7a459f50d212c472457fffbc3a987fa

SHA512
51ea0cae6e89a75b953a78fc193090537f0becd7a11e27479904b1e09ee024c861dd0d082d4aee816f08a66aa6c7d6c8ab9a52da33e53af2dc6ee6f751f95565

Download Submit
\Windows\SysWOW64\Plcied32.exe

Filesize
454KB

MD5
e2f34433c6428f3211ea2326289e26fa

SHA1
d38342f0704ad41579ed7afe5e6bf49523a35ffd

SHA256
8bfe0423a659a9e3a58dc9e852ff860c6e39fc26ec799f8a9a2e5409b332fef0

SHA512
40ed7e19d16133b28377f7f1e85e2a6ee808dab2db0279ecd480209511ee5f821d7636fc65a5e7ccb1b825bae178b5ee4b3de22dc4d8f001e7a86d8876ceae56

Download Submit
memory/236-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/276-39-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/276-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/928-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/928-22-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/928-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-124-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2032-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-12-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2220-11-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2336-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-104-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2336-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-95-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2652-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-63-0x00000000003C0000-0x00000000003F3000-memory.dmp

Filesize
204KB

Download
memory/2736-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-49-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/2760-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-77-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2792-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-137-0x00000000002B0000-0x00000000002E3000-memory.dmp

Filesize
204KB

Download
memory/2980-138-0x00000000002B0000-0x00000000002E3000-memory.dmp

Filesize
204KB

Download
memory/2980-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads