berbew | ec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160.exe
Size

74KB
MD5

50747d517ae4b8bebe2ee31e917cd143
SHA1

401abe8b673b5d46a7cc2204e887b407699bc1a5
SHA256

ec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160
SHA512

7a080712c74410df9a8426242582451671cf5ad171484ac25009d0cd7ba4bf13e723544b03a9d8ce572f5b308879eaac232efa6ad08e5070df5a766c70747705
SSDEEP

1536:Q9+iocXr5yp4CUFLO5ts+4dMJvLfkZBIwO+DNs:Q9VLXVgUV2tGMJrSIcs

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Cagienkb.exeCjakccop.exeDmbcen32.exeCbffoabe.exeCfhkhd32.exeCgaaah32.exeCgcnghpl.exeCegoqlof.exeec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	ec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 9 IoCs

Processes:

Cagienkb.exeCgaaah32.exeCbffoabe.exeCgcnghpl.exeCjakccop.exeCegoqlof.exeCfhkhd32.exeDmbcen32.exeDpapaj32.exe

pid	process
316	Cagienkb.exe
2292	Cgaaah32.exe
2708	Cbffoabe.exe
2720	Cgcnghpl.exe
2588	Cjakccop.exe
2728	Cegoqlof.exe
2632	Cfhkhd32.exe
3044	Dmbcen32.exe
1324	Dpapaj32.exe

Loads dropped DLL 21 IoCs

Processes:

ec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160.exeCagienkb.exeCgaaah32.exeCbffoabe.exeCgcnghpl.exeCjakccop.exeCegoqlof.exeCfhkhd32.exeDmbcen32.exeWerFault.exe

pid	process
2448	ec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160.exe
2448	ec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160.exe
316	Cagienkb.exe
316	Cagienkb.exe
2292	Cgaaah32.exe
2292	Cgaaah32.exe
2708	Cbffoabe.exe
2708	Cbffoabe.exe
2720	Cgcnghpl.exe
2720	Cgcnghpl.exe
2588	Cjakccop.exe
2588	Cjakccop.exe
2728	Cegoqlof.exe
2728	Cegoqlof.exe
2632	Cfhkhd32.exe
2632	Cfhkhd32.exe
3044	Dmbcen32.exe
3044	Dmbcen32.exe
536	WerFault.exe
536	WerFault.exe
536	WerFault.exe

Drops file in System32 directory 29 IoCs

Processes:

Dmbcen32.exeec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160.exeCjakccop.exeCegoqlof.exeCagienkb.exeCgaaah32.exeCfhkhd32.exeDpapaj32.exeCbffoabe.exeCgcnghpl.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	ec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	ec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Cbffoabe.exe	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	ec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cagienkb.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

536 1324 WerFault.exe

pid	pid_target	process
536	1324	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Cegoqlof.exeCfhkhd32.exeDpapaj32.exeec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160.exeCagienkb.exeCgaaah32.exeCbffoabe.exeCgcnghpl.exeCjakccop.exeDmbcen32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe

Modifies registry class 30 IoCs

Processes:

ec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160.exeCgaaah32.exeCbffoabe.exeCegoqlof.exeCagienkb.exeCgcnghpl.exeCjakccop.exeDmbcen32.exeCfhkhd32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	ec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	ec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	ec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	ec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Cegoqlof.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

ec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160.exeCagienkb.exeCgaaah32.exeCbffoabe.exeCgcnghpl.exeCjakccop.exeCegoqlof.exeCfhkhd32.exeDmbcen32.exeDpapaj32.exe

description	pid	process	target process
PID 2448 wrote to memory of 316	2448	ec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160.exe	Cagienkb.exe
PID 2448 wrote to memory of 316	2448	ec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160.exe	Cagienkb.exe
PID 2448 wrote to memory of 316	2448	ec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160.exe	Cagienkb.exe
PID 2448 wrote to memory of 316	2448	ec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160.exe	Cagienkb.exe
PID 316 wrote to memory of 2292	316	Cagienkb.exe	Cgaaah32.exe
PID 316 wrote to memory of 2292	316	Cagienkb.exe	Cgaaah32.exe
PID 316 wrote to memory of 2292	316	Cagienkb.exe	Cgaaah32.exe
PID 316 wrote to memory of 2292	316	Cagienkb.exe	Cgaaah32.exe
PID 2292 wrote to memory of 2708	2292	Cgaaah32.exe	Cbffoabe.exe
PID 2292 wrote to memory of 2708	2292	Cgaaah32.exe	Cbffoabe.exe
PID 2292 wrote to memory of 2708	2292	Cgaaah32.exe	Cbffoabe.exe
PID 2292 wrote to memory of 2708	2292	Cgaaah32.exe	Cbffoabe.exe
PID 2708 wrote to memory of 2720	2708	Cbffoabe.exe	Cgcnghpl.exe
PID 2708 wrote to memory of 2720	2708	Cbffoabe.exe	Cgcnghpl.exe
PID 2708 wrote to memory of 2720	2708	Cbffoabe.exe	Cgcnghpl.exe
PID 2708 wrote to memory of 2720	2708	Cbffoabe.exe	Cgcnghpl.exe
PID 2720 wrote to memory of 2588	2720	Cgcnghpl.exe	Cjakccop.exe
PID 2720 wrote to memory of 2588	2720	Cgcnghpl.exe	Cjakccop.exe
PID 2720 wrote to memory of 2588	2720	Cgcnghpl.exe	Cjakccop.exe
PID 2720 wrote to memory of 2588	2720	Cgcnghpl.exe	Cjakccop.exe
PID 2588 wrote to memory of 2728	2588	Cjakccop.exe	Cegoqlof.exe
PID 2588 wrote to memory of 2728	2588	Cjakccop.exe	Cegoqlof.exe
PID 2588 wrote to memory of 2728	2588	Cjakccop.exe	Cegoqlof.exe
PID 2588 wrote to memory of 2728	2588	Cjakccop.exe	Cegoqlof.exe
PID 2728 wrote to memory of 2632	2728	Cegoqlof.exe	Cfhkhd32.exe
PID 2728 wrote to memory of 2632	2728	Cegoqlof.exe	Cfhkhd32.exe
PID 2728 wrote to memory of 2632	2728	Cegoqlof.exe	Cfhkhd32.exe
PID 2728 wrote to memory of 2632	2728	Cegoqlof.exe	Cfhkhd32.exe
PID 2632 wrote to memory of 3044	2632	Cfhkhd32.exe	Dmbcen32.exe
PID 2632 wrote to memory of 3044	2632	Cfhkhd32.exe	Dmbcen32.exe
PID 2632 wrote to memory of 3044	2632	Cfhkhd32.exe	Dmbcen32.exe
PID 2632 wrote to memory of 3044	2632	Cfhkhd32.exe	Dmbcen32.exe
PID 3044 wrote to memory of 1324	3044	Dmbcen32.exe	Dpapaj32.exe
PID 3044 wrote to memory of 1324	3044	Dmbcen32.exe	Dpapaj32.exe
PID 3044 wrote to memory of 1324	3044	Dmbcen32.exe	Dpapaj32.exe
PID 3044 wrote to memory of 1324	3044	Dmbcen32.exe	Dpapaj32.exe
PID 1324 wrote to memory of 536	1324	Dpapaj32.exe	WerFault.exe
PID 1324 wrote to memory of 536	1324	Dpapaj32.exe	WerFault.exe
PID 1324 wrote to memory of 536	1324	Dpapaj32.exe	WerFault.exe
PID 1324 wrote to memory of 536	1324	Dpapaj32.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160.exe
"C:\Users\Admin\AppData\Local\Temp\ec58ca0b4cf75c1a66a8bb1768f96508769e01b0f91f08f2569d42fd76ac8160.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\SysWOW64\Cagienkb.exe
  C:\Windows\system32\Cagienkb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\Cgaaah32.exe
    C:\Windows\system32\Cgaaah32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\SysWOW64\Cbffoabe.exe
      C:\Windows\system32\Cbffoabe.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 144
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
74KB

MD5
49b1d6b1078ba26f1318b24c625965ec

SHA1
e950eaf4cc9a9f87a071df82c389c5fe4b457e8f

SHA256
8cfe4dae244547f8eec762ea09bcb4834730f0a77cec9ccfa5dfa64e80007e69

SHA512
eaf9b1304c166a307ba9f10506574acc2a5103c047223247b6cded28d8bf7b99ca428b362c55e66f1d6c73544f0b3726d8819d2767c5d8167eb6b7b7d2139d4c

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
74KB

MD5
74c0350ade79d0dfc3f7d1aa4ee70a49

SHA1
6404edee9986ca1f3398b8473b4bafff0683d548

SHA256
b17922e3e661e59fc9cd813003e86fe351fa538fb4baed291d1c9534e9142b98

SHA512
9e4752a7ba6825e339f77bc15e3c0ef16c1b05c6c6d48e8e254a29e6f65d77781c9d30f863da87776554e8159e29481f837265a0b395b34f06c6f1dc1cf16479

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
74KB

MD5
4a966707c9b989dcd02dcd6665188176

SHA1
79c8f50d2e22313e4051cef58d16a6bd79ddaf70

SHA256
12d7892d8622838dd548eac32ff42bea2fcaac2959fa8bb8f07d03f89bb47d0c

SHA512
f09e936fdebe6276b71461c49e4ce106f7f084c8727d4a9dd8571386a755ac6773baeb10fee1f45223d79c81c0ebb79770d55b495d1b6590ecda6eda6960c711

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
74KB

MD5
342c47e4f1e37a688994bece0e29da2e

SHA1
79fa563416f8e67cbc6e2df3b8d43d277a5afc86

SHA256
65980d8d83a9311b88f1c6aef1d4cab06590add450b1ee8087a7a6d305d1fc00

SHA512
5f7ca1aeed3d43969100af557128751aa32874aaa5e56130319997d67871b9a1b8c2f6c3f07def99e21b1d8af4b534015fb83c337a4b2f6acb6425e583f3b98d

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
74KB

MD5
ee2787b208acfa824123e7957766dc3d

SHA1
376ec6591a9a365f63ba3906261895cfef68c2a4

SHA256
30e016004b9a2aaacdc743708d7c04aafe35406368b0a8a91859eedce9ce4250

SHA512
e334b13c2aac221fd7e6a5e22cf07a24013a54cec263aa6e69fa1efe5facea5112f3dea9b94ab67a7da81dc68dcb7e185fb8860e879496f59146f593b4129324

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
74KB

MD5
cb567e1c1317799e228f5726785b685e

SHA1
778c898ce8badf6c3180126e55a640788972286a

SHA256
b6a42472f9fdfa674edcf412450c9ba1786a2eb6448cb8e0efd4bd5bacd4724c

SHA512
cc2fdfeceaf1cbe740d771030e85c9fb9e761d89288c814af6bed9b8f6193bd2149ca80111e486dec7d5fc5c1a6d2167d393ce67e5a11cd414669ff60daf262f

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
74KB

MD5
c77203b3727ee1979594c79b3597d045

SHA1
b0f91d93041f81f4893e229c29fcff451ebab40a

SHA256
770922a395b51e923ad634448ef0c4276f299e1eec8e2f93e300f507d0971007

SHA512
8c8a797616ada829042f2e6d89ab2035184645f257d6cfda61db5192f807de36c26ea00506c92e728a624b941fba4061320fc7486e8878072186fee65a76c95d

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
74KB

MD5
baf76946809ac4bce5016a311ac2f659

SHA1
8e27908f78344b658873497d3d58a1a07dc72551

SHA256
acdb985a83cafe8042123c01eb4665f0beafb73406174c0025d450bfd75c3b96

SHA512
865b447c200727ef4f39b8083207ba9c9e293ed75902faeffe93b43c64efc2ee785bd3a82f16cce19c50c0d1885512d07062814db5149dde200e724f7b8011e9

Download Submit
C:\Windows\SysWOW64\Gpajfg32.dll

Filesize
7KB

MD5
74e22ceaa60feb8c9dc8fa45dce38b0e

SHA1
99ac4ed78fa9fffaf978a8a8913677ed536f7055

SHA256
0346158817a34ce297320a3a4bed53482841c456140ddda6c8d769dbc5ebc744

SHA512
8965cbb996c21f516dccd6366dbe17150edcfbf47a6ffcb8e7f5baaeb45fc966611fbc9afa832bc67cec000b73bc703e39f16da18887e08d528e06b80be1d6bf

Download Submit
\Windows\SysWOW64\Cagienkb.exe

Filesize
74KB

MD5
cf6c0e9fd7f00bf4da3cc21cbf2fce9b

SHA1
9b1862e083a2cb5edf30e77fc6f4cbdf5e2d816f

SHA256
18b15405117a3d0fa3573a05d95c67f9cc96096596e18078902459c16c877d0b

SHA512
9cbf947308c80072438218f3d4cac3a8321f297fae94bf1c41768f61d9718fae1916fc703aa45de53076ab05db0a6cc7c02a8b90d07b0ed36ac4e387501eaa31

Download Submit
memory/316-130-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/316-24-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1324-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-134-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-26-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-34-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/2448-8-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2448-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2448-133-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2588-78-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2588-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2632-93-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2632-126-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2708-129-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2720-131-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2720-60-0x0000000001FA0000-0x0000000001FD6000-memory.dmp

Filesize
216KB

Download
memory/2720-52-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2728-79-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2728-87-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2728-128-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3044-107-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3044-114-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/3044-127-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download