berbew | b803b122f419628265a7a3979323b5ceb3202968cbaa671a68fc743029564ae9

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23/11/2024, 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b803b122f419628265a7a3979323b5ceb3202968cbaa671a68fc743029564ae9.exe
Size

87KB
MD5

8f0c8e1cf981f9e3f3d973f0ffbaad7b
SHA1

40802c289206ec74341d3ade027b9e79d6fbd37a
SHA256

b803b122f419628265a7a3979323b5ceb3202968cbaa671a68fc743029564ae9
SHA512

e909aaecfdf67aa889b0657d4b4a70b80bfb29474529b3b5b89f2e1e3d4d2931873f996dd8cd954a09f968b9fdad8dbea6b8db83b873593ecc701333a1348c51
SSDEEP

1536:etH0PITnQInZFeu4dDlcc77z0gF3OnL7CRQ4kRSRBDNrR0RVe7R6R8RPD2zL:etHCIs4KFlcc7cgF+LGeJAnDlmbGcGF8

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	b803b122f419628265a7a3979323b5ceb3202968cbaa671a68fc743029564ae9.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boplllob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b803b122f419628265a7a3979323b5ceb3202968cbaa671a68fc743029564ae9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Boplllob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Behgcf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 9 IoCs

pid	Process
2592	Bhdgjb32.exe
2920	Bbikgk32.exe
2864	Behgcf32.exe
3068	Boplllob.exe
484	Baohhgnf.exe
1288	Bobhal32.exe
2028	Bmeimhdj.exe
1216	Cilibi32.exe
2768	Cacacg32.exe

Loads dropped DLL 22 IoCs

pid	Process
2856	b803b122f419628265a7a3979323b5ceb3202968cbaa671a68fc743029564ae9.exe
2856	b803b122f419628265a7a3979323b5ceb3202968cbaa671a68fc743029564ae9.exe
2592	Bhdgjb32.exe
2592	Bhdgjb32.exe
2920	Bbikgk32.exe
2920	Bbikgk32.exe
2864	Behgcf32.exe
2864	Behgcf32.exe
3068	Boplllob.exe
3068	Boplllob.exe
484	Baohhgnf.exe
484	Baohhgnf.exe
1288	Bobhal32.exe
1288	Bobhal32.exe
2028	Bmeimhdj.exe
2028	Bmeimhdj.exe
1216	Cilibi32.exe
1216	Cilibi32.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cacacg32.exe	Cilibi32.exe
File created	C:\Windows\SysWOW64\Jbodgd32.dll	b803b122f419628265a7a3979323b5ceb3202968cbaa671a68fc743029564ae9.exe
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Bhdgjb32.exe
File opened for modification	C:\Windows\SysWOW64\Bbikgk32.exe	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Cilibi32.exe	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Bhdgjb32.exe	b803b122f419628265a7a3979323b5ceb3202968cbaa671a68fc743029564ae9.exe
File opened for modification	C:\Windows\SysWOW64\Behgcf32.exe	Bbikgk32.exe
File opened for modification	C:\Windows\SysWOW64\Boplllob.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Hgpmbc32.dll	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Boplllob.exe	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Baohhgnf.exe	Boplllob.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cilibi32.exe
File created	C:\Windows\SysWOW64\Abacpl32.dll	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Bobhal32.exe	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Liggabfp.dll	Behgcf32.exe
File created	C:\Windows\SysWOW64\Baohhgnf.exe	Boplllob.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bobhal32.exe
File opened for modification	C:\Windows\SysWOW64\Cilibi32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Bhdgjb32.exe	b803b122f419628265a7a3979323b5ceb3202968cbaa671a68fc743029564ae9.exe
File opened for modification	C:\Windows\SysWOW64\Bobhal32.exe	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Imklkg32.dll	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Oimbjlde.dll	Bobhal32.exe
File created	C:\Windows\SysWOW64\Behgcf32.exe	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Dhnook32.dll	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Nfolbbmp.dll	Boplllob.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cilibi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2128	2768	WerFault.exe	38

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b803b122f419628265a7a3979323b5ceb3202968cbaa671a68fc743029564ae9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cilibi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	b803b122f419628265a7a3979323b5ceb3202968cbaa671a68fc743029564ae9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abacpl32.dll"	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liggabfp.dll"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	b803b122f419628265a7a3979323b5ceb3202968cbaa671a68fc743029564ae9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll"	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbodgd32.dll"	b803b122f419628265a7a3979323b5ceb3202968cbaa671a68fc743029564ae9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Boplllob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnook32.dll"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Behgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b803b122f419628265a7a3979323b5ceb3202968cbaa671a68fc743029564ae9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b803b122f419628265a7a3979323b5ceb3202968cbaa671a68fc743029564ae9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfolbbmp.dll"	Boplllob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	b803b122f419628265a7a3979323b5ceb3202968cbaa671a68fc743029564ae9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbikgk32.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2592	2856	b803b122f419628265a7a3979323b5ceb3202968cbaa671a68fc743029564ae9.exe	30
PID 2856 wrote to memory of 2592	2856	b803b122f419628265a7a3979323b5ceb3202968cbaa671a68fc743029564ae9.exe	30
PID 2856 wrote to memory of 2592	2856	b803b122f419628265a7a3979323b5ceb3202968cbaa671a68fc743029564ae9.exe	30
PID 2856 wrote to memory of 2592	2856	b803b122f419628265a7a3979323b5ceb3202968cbaa671a68fc743029564ae9.exe	30
PID 2592 wrote to memory of 2920	2592	Bhdgjb32.exe	31
PID 2592 wrote to memory of 2920	2592	Bhdgjb32.exe	31
PID 2592 wrote to memory of 2920	2592	Bhdgjb32.exe	31
PID 2592 wrote to memory of 2920	2592	Bhdgjb32.exe	31
PID 2920 wrote to memory of 2864	2920	Bbikgk32.exe	32
PID 2920 wrote to memory of 2864	2920	Bbikgk32.exe	32
PID 2920 wrote to memory of 2864	2920	Bbikgk32.exe	32
PID 2920 wrote to memory of 2864	2920	Bbikgk32.exe	32
PID 2864 wrote to memory of 3068	2864	Behgcf32.exe	33
PID 2864 wrote to memory of 3068	2864	Behgcf32.exe	33
PID 2864 wrote to memory of 3068	2864	Behgcf32.exe	33
PID 2864 wrote to memory of 3068	2864	Behgcf32.exe	33
PID 3068 wrote to memory of 484	3068	Boplllob.exe	34
PID 3068 wrote to memory of 484	3068	Boplllob.exe	34
PID 3068 wrote to memory of 484	3068	Boplllob.exe	34
PID 3068 wrote to memory of 484	3068	Boplllob.exe	34
PID 484 wrote to memory of 1288	484	Baohhgnf.exe	35
PID 484 wrote to memory of 1288	484	Baohhgnf.exe	35
PID 484 wrote to memory of 1288	484	Baohhgnf.exe	35
PID 484 wrote to memory of 1288	484	Baohhgnf.exe	35
PID 1288 wrote to memory of 2028	1288	Bobhal32.exe	36
PID 1288 wrote to memory of 2028	1288	Bobhal32.exe	36
PID 1288 wrote to memory of 2028	1288	Bobhal32.exe	36
PID 1288 wrote to memory of 2028	1288	Bobhal32.exe	36
PID 2028 wrote to memory of 1216	2028	Bmeimhdj.exe	37
PID 2028 wrote to memory of 1216	2028	Bmeimhdj.exe	37
PID 2028 wrote to memory of 1216	2028	Bmeimhdj.exe	37
PID 2028 wrote to memory of 1216	2028	Bmeimhdj.exe	37
PID 1216 wrote to memory of 2768	1216	Cilibi32.exe	38
PID 1216 wrote to memory of 2768	1216	Cilibi32.exe	38
PID 1216 wrote to memory of 2768	1216	Cilibi32.exe	38
PID 1216 wrote to memory of 2768	1216	Cilibi32.exe	38
PID 2768 wrote to memory of 2128	2768	Cacacg32.exe	39
PID 2768 wrote to memory of 2128	2768	Cacacg32.exe	39
PID 2768 wrote to memory of 2128	2768	Cacacg32.exe	39
PID 2768 wrote to memory of 2128	2768	Cacacg32.exe	39

C:\Users\Admin\AppData\Local\Temp\b803b122f419628265a7a3979323b5ceb3202968cbaa671a68fc743029564ae9.exe
"C:\Users\Admin\AppData\Local\Temp\b803b122f419628265a7a3979323b5ceb3202968cbaa671a68fc743029564ae9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\SysWOW64\Bhdgjb32.exe
  C:\Windows\system32\Bhdgjb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\Bbikgk32.exe
    C:\Windows\system32\Bbikgk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\SysWOW64\Behgcf32.exe
      C:\Windows\system32\Behgcf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
      - C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 140
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
87KB

MD5
b5b0cc81451eda94afb5ec0d89884777

SHA1
77fa0fb0a58a1fd328140ba00bcc31cb0ec2884c

SHA256
6517e46250f97c4c23394d4a8e5919708b00deeeea9058294cd738b9e2c9df39

SHA512
74777ae64a39727c3606e54616bb650e667bcb42540ae7503cec8a00ce2fce7686c35cdd8b6168e39520e74099eb3771e425bd5e55cf97cf2e42861ca4206d82

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
87KB

MD5
c3854ceb3fd2d5d7ee1ef08d9884469c

SHA1
f66ee7ebf3e96f3c0d2e217f428af87cf7d8a1a9

SHA256
c92d9cf7f4f488a986aae1b0f8b0e0457903c3e213db385de2d87ea94704cca9

SHA512
5ebfbbd57de901df35bf20c233e9973223d1bfae57cbccdb91ec238cdaeb5adc3374e1d7e6dd19086d68557b87da5d87ff89cf5f8ebe186b100f6e84b35388e9

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
87KB

MD5
95da0b1b4942b5d273dede86ca13c3c5

SHA1
45f99dd240b513a518a32f773adf0728bea2d80c

SHA256
0f3011548165a5779cb7e801f2e941887fc5591f6164ca6249f0bb0d50a3e716

SHA512
be0abd6f58f41c1d6c75d8aa77377c4fb0a71007269ffc3b1c3bfb4ae0e7ace5b621b2dcf25539756a694c82516d7ce6eb51675bf1777590560bbc80006672f4

Download Submit
C:\Windows\SysWOW64\Nfolbbmp.dll

Filesize
7KB

MD5
e799992d1d82a2f217b306a323544bad

SHA1
03447be9157f8762b118650d4e57f4313cf8719c

SHA256
27b8a4e29273e6e726862a81b734a53a06697e3cbdaa179515ea0716ca83717f

SHA512
ad4d82a6b6a11b79718f54d6fbd97796250577eab22e0da5af99605c9e3d1e1278ebabd3ad99a44acbc87d33b52bb7c1a652d3448b2d50df507f503ec34c73ce

Download Submit
\Windows\SysWOW64\Bbikgk32.exe

Filesize
87KB

MD5
0d40fe9ad6fd291163d428614c7f55bc

SHA1
c802cf7e40dfb3ecf1030b9c5d72c0fe55d9d76a

SHA256
f022cd9b8bc801d6194dbf80c6804a66c44dd26956698fd0df8b70d30aab5b86

SHA512
941445f3f7b6b220f612f6d86470eafe088c11ae86cadc313352729a73c1b9a7dbd8b17c63de54ebf496fe02c4687864b0b1f94c1f4998f997c09a1ec697948d

Download Submit
\Windows\SysWOW64\Behgcf32.exe

Filesize
87KB

MD5
884370a3825b55afbc55c21a34adb6e6

SHA1
b752def51d942b7a79fcfbdc3a385c24db971281

SHA256
aaef6ed1d5f37101f1f2d8e6f8331b2b250327615fcffeb505539f31965eaeca

SHA512
9da4aad66a093ace4f0aea13f2f92a8a6f82d5c4e99d1338e2f2845f06d8fc37c5159b92af2170294f6a4543dda4b66c5ad2d61436a0d014e47fe35fef66867e

Download Submit
\Windows\SysWOW64\Bobhal32.exe

Filesize
87KB

MD5
f0e6f84af67ac92447a4fb20a91a9678

SHA1
f88016d26baa95bbd804dadacb052e22a6b0aeb8

SHA256
d3dd23e1bb9613506d4d632699d55be00f09e3aed1caafd49a24b293e92fa58e

SHA512
7cb10bab51f9b77620e51f333cd1128023e4d3a0eff22a6092fac16bd9b3c954ee328e67eb8f176b7e65beadbc7e8618504c2956bb1bc11704be1fc817faf0cc

Download Submit
\Windows\SysWOW64\Boplllob.exe

Filesize
87KB

MD5
b691b6e8610fa4ad4e6ddcfc8e42ffd5

SHA1
5ac1dc8bd2e5e4ba149ade3ebcd0b9bb1874e4d5

SHA256
29a53b2c9ca21155f4a28c3340ab7a2417ae7e96be9b889149aade6e1005b416

SHA512
f6ae83f74507343283815e98b09b15f2d3329b8c1500c41218957e0f1186ab79622cefa7f2e58cbb45d5083dab00c2a90fb1988c819a4b67b977d39212fdbdae

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
87KB

MD5
1ab9b93557cad350661a0c9f9c7b7a6a

SHA1
0568d00a2b337bcd54a57b1bfa0515985b905a67

SHA256
86f1e3a2652df09ffcf3b8166f2cba45ac7c9c097b8fdb427cc39a53a3e0b3c1

SHA512
09374a8e82ab1ce544f68ce3326350f1085c90f14f30f43d996b2f511afc31493bbbca6745960de634f4dd77347bb4dc20def7ebf8f6fb524a988fa57aa40db9

Download Submit
\Windows\SysWOW64\Cilibi32.exe

Filesize
87KB

MD5
78dee1e3d0b70b0a36fae3a0494b6dd2

SHA1
82673bd53247aa3334cc552d1f929bf17b1726a8

SHA256
ae4dd84f69ac6df1eda66fa2c87adfc0bb4b65e27d3017578b22c5caccd4e7ef

SHA512
8d9e542a215a7d03dd9343ae80dc67d76ea02f060e003ca5040f024aeff9f915478c49a8a7fa84cebefc050b35e606250744aaa6990b43a4ff35d794b68fdc87

Download Submit
memory/484-122-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/484-69-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1216-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1216-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1288-134-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/1288-97-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/1288-85-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1288-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-136-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2028-111-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2592-68-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2592-81-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2592-26-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2592-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2768-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2768-138-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2856-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2856-54-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2856-12-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2864-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2864-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2920-82-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2920-39-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2920-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3068-114-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3068-60-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads