berbew | e5a5f58c950b516529ba4a366ea3b429ae3452c50bbea4f0ea0b55de66672679

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5a5f58c950b516529ba4a366ea3b429ae3452c50bbea4f0ea0b55de66672679N.exe
Size

57KB
MD5

5b9c6915ece8933a3100b442b3e28f60
SHA1

9b8e88133fc4e271176cb8d47267d5d37e3ab7ec
SHA256

e5a5f58c950b516529ba4a366ea3b429ae3452c50bbea4f0ea0b55de66672679
SHA512

785b1763f12d6e820d804abe7136160caec131609e3824589fb529a94736e379ecc3d75e74f8220593960ca6bdede1490203923cad65e6e6e561defa0dca3deb
SSDEEP

1536:P0fwTr8kSmia91Sf8/z9VK0DowHAPdYWrU:8fwTAkSmiSL/pI08wHUg

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khjgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kadica32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e5a5f58c950b516529ba4a366ea3b429ae3452c50bbea4f0ea0b55de66672679N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e5a5f58c950b516529ba4a366ea3b429ae3452c50bbea4f0ea0b55de66672679N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kocpbfei.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkmmlgik.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmmfnb32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 10 IoCs

pid	Process
2796	Kdnkdmec.exe
2236	Khjgel32.exe
1332	Kocpbfei.exe
2700	Kfodfh32.exe
2728	Kadica32.exe
1224	Kkmmlgik.exe
1956	Kipmhc32.exe
1272	Kgcnahoo.exe
588	Lmmfnb32.exe
280	Lbjofi32.exe

Loads dropped DLL 25 IoCs

pid	Process
1180	e5a5f58c950b516529ba4a366ea3b429ae3452c50bbea4f0ea0b55de66672679N.exe
1180	e5a5f58c950b516529ba4a366ea3b429ae3452c50bbea4f0ea0b55de66672679N.exe
2796	Kdnkdmec.exe
2796	Kdnkdmec.exe
2236	Khjgel32.exe
2236	Khjgel32.exe
1332	Kocpbfei.exe
1332	Kocpbfei.exe
2700	Kfodfh32.exe
2700	Kfodfh32.exe
2728	Kadica32.exe
2728	Kadica32.exe
1224	Kkmmlgik.exe
1224	Kkmmlgik.exe
1956	Kipmhc32.exe
1956	Kipmhc32.exe
1272	Kgcnahoo.exe
1272	Kgcnahoo.exe
588	Lmmfnb32.exe
588	Lmmfnb32.exe
1500	WerFault.exe
1500	WerFault.exe
1500	WerFault.exe
1500	WerFault.exe
1500	WerFault.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kdnkdmec.exe	e5a5f58c950b516529ba4a366ea3b429ae3452c50bbea4f0ea0b55de66672679N.exe
File created	C:\Windows\SysWOW64\Caefjg32.dll	e5a5f58c950b516529ba4a366ea3b429ae3452c50bbea4f0ea0b55de66672679N.exe
File created	C:\Windows\SysWOW64\Lmmfnb32.exe	Kgcnahoo.exe
File opened for modification	C:\Windows\SysWOW64\Kfodfh32.exe	Kocpbfei.exe
File opened for modification	C:\Windows\SysWOW64\Lmmfnb32.exe	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Ijjnkj32.dll	Kdnkdmec.exe
File created	C:\Windows\SysWOW64\Onpeobjf.dll	Kadica32.exe
File created	C:\Windows\SysWOW64\Kipmhc32.exe	Kkmmlgik.exe
File created	C:\Windows\SysWOW64\Pigckoki.dll	Kgcnahoo.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Kocpbfei.exe	Khjgel32.exe
File created	C:\Windows\SysWOW64\Kcjeje32.dll	Kocpbfei.exe
File opened for modification	C:\Windows\SysWOW64\Kkmmlgik.exe	Kadica32.exe
File created	C:\Windows\SysWOW64\Kdnkdmec.exe	e5a5f58c950b516529ba4a366ea3b429ae3452c50bbea4f0ea0b55de66672679N.exe
File opened for modification	C:\Windows\SysWOW64\Khjgel32.exe	Kdnkdmec.exe
File opened for modification	C:\Windows\SysWOW64\Kocpbfei.exe	Khjgel32.exe
File created	C:\Windows\SysWOW64\Ffakjm32.dll	Khjgel32.exe
File created	C:\Windows\SysWOW64\Kadica32.exe	Kfodfh32.exe
File opened for modification	C:\Windows\SysWOW64\Kipmhc32.exe	Kkmmlgik.exe
File created	C:\Windows\SysWOW64\Pgodelnq.dll	Kipmhc32.exe
File opened for modification	C:\Windows\SysWOW64\Kgcnahoo.exe	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Khjgel32.exe	Kdnkdmec.exe
File created	C:\Windows\SysWOW64\Kfodfh32.exe	Kocpbfei.exe
File opened for modification	C:\Windows\SysWOW64\Kadica32.exe	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Hhhamf32.dll	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Kkmmlgik.exe	Kadica32.exe
File created	C:\Windows\SysWOW64\Dkpnde32.dll	Kkmmlgik.exe
File created	C:\Windows\SysWOW64\Kgcnahoo.exe	Kipmhc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1500	280	WerFault.exe	39

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocpbfei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfodfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkmmlgik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipmhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmfnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5a5f58c950b516529ba4a366ea3b429ae3452c50bbea4f0ea0b55de66672679N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnkdmec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khjgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadica32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgcnahoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakjm32.dll"	Khjgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkmmlgik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e5a5f58c950b516529ba4a366ea3b429ae3452c50bbea4f0ea0b55de66672679N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefjg32.dll"	e5a5f58c950b516529ba4a366ea3b429ae3452c50bbea4f0ea0b55de66672679N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjnkj32.dll"	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e5a5f58c950b516529ba4a366ea3b429ae3452c50bbea4f0ea0b55de66672679N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhamf32.dll"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigckoki.dll"	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpnde32.dll"	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll"	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onpeobjf.dll"	Kadica32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e5a5f58c950b516529ba4a366ea3b429ae3452c50bbea4f0ea0b55de66672679N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e5a5f58c950b516529ba4a366ea3b429ae3452c50bbea4f0ea0b55de66672679N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khjgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkmmlgik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e5a5f58c950b516529ba4a366ea3b429ae3452c50bbea4f0ea0b55de66672679N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjeje32.dll"	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kadica32.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 2796	1180	e5a5f58c950b516529ba4a366ea3b429ae3452c50bbea4f0ea0b55de66672679N.exe	30
PID 1180 wrote to memory of 2796	1180	e5a5f58c950b516529ba4a366ea3b429ae3452c50bbea4f0ea0b55de66672679N.exe	30
PID 1180 wrote to memory of 2796	1180	e5a5f58c950b516529ba4a366ea3b429ae3452c50bbea4f0ea0b55de66672679N.exe	30
PID 1180 wrote to memory of 2796	1180	e5a5f58c950b516529ba4a366ea3b429ae3452c50bbea4f0ea0b55de66672679N.exe	30
PID 2796 wrote to memory of 2236	2796	Kdnkdmec.exe	31
PID 2796 wrote to memory of 2236	2796	Kdnkdmec.exe	31
PID 2796 wrote to memory of 2236	2796	Kdnkdmec.exe	31
PID 2796 wrote to memory of 2236	2796	Kdnkdmec.exe	31
PID 2236 wrote to memory of 1332	2236	Khjgel32.exe	32
PID 2236 wrote to memory of 1332	2236	Khjgel32.exe	32
PID 2236 wrote to memory of 1332	2236	Khjgel32.exe	32
PID 2236 wrote to memory of 1332	2236	Khjgel32.exe	32
PID 1332 wrote to memory of 2700	1332	Kocpbfei.exe	33
PID 1332 wrote to memory of 2700	1332	Kocpbfei.exe	33
PID 1332 wrote to memory of 2700	1332	Kocpbfei.exe	33
PID 1332 wrote to memory of 2700	1332	Kocpbfei.exe	33
PID 2700 wrote to memory of 2728	2700	Kfodfh32.exe	34
PID 2700 wrote to memory of 2728	2700	Kfodfh32.exe	34
PID 2700 wrote to memory of 2728	2700	Kfodfh32.exe	34
PID 2700 wrote to memory of 2728	2700	Kfodfh32.exe	34
PID 2728 wrote to memory of 1224	2728	Kadica32.exe	35
PID 2728 wrote to memory of 1224	2728	Kadica32.exe	35
PID 2728 wrote to memory of 1224	2728	Kadica32.exe	35
PID 2728 wrote to memory of 1224	2728	Kadica32.exe	35
PID 1224 wrote to memory of 1956	1224	Kkmmlgik.exe	36
PID 1224 wrote to memory of 1956	1224	Kkmmlgik.exe	36
PID 1224 wrote to memory of 1956	1224	Kkmmlgik.exe	36
PID 1224 wrote to memory of 1956	1224	Kkmmlgik.exe	36
PID 1956 wrote to memory of 1272	1956	Kipmhc32.exe	37
PID 1956 wrote to memory of 1272	1956	Kipmhc32.exe	37
PID 1956 wrote to memory of 1272	1956	Kipmhc32.exe	37
PID 1956 wrote to memory of 1272	1956	Kipmhc32.exe	37
PID 1272 wrote to memory of 588	1272	Kgcnahoo.exe	38
PID 1272 wrote to memory of 588	1272	Kgcnahoo.exe	38
PID 1272 wrote to memory of 588	1272	Kgcnahoo.exe	38
PID 1272 wrote to memory of 588	1272	Kgcnahoo.exe	38
PID 588 wrote to memory of 280	588	Lmmfnb32.exe	39
PID 588 wrote to memory of 280	588	Lmmfnb32.exe	39
PID 588 wrote to memory of 280	588	Lmmfnb32.exe	39
PID 588 wrote to memory of 280	588	Lmmfnb32.exe	39
PID 280 wrote to memory of 1500	280	Lbjofi32.exe	40
PID 280 wrote to memory of 1500	280	Lbjofi32.exe	40
PID 280 wrote to memory of 1500	280	Lbjofi32.exe	40
PID 280 wrote to memory of 1500	280	Lbjofi32.exe	40

C:\Users\Admin\AppData\Local\Temp\e5a5f58c950b516529ba4a366ea3b429ae3452c50bbea4f0ea0b55de66672679N.exe
"C:\Users\Admin\AppData\Local\Temp\e5a5f58c950b516529ba4a366ea3b429ae3452c50bbea4f0ea0b55de66672679N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\SysWOW64\Kdnkdmec.exe
  C:\Windows\system32\Kdnkdmec.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\Khjgel32.exe
    C:\Windows\system32\Khjgel32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\SysWOW64\Kocpbfei.exe
      C:\Windows\system32\Kocpbfei.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1332
    - - C:\Windows\SysWOW64\Kfodfh32.exe
        
        C:\Windows\system32\Kfodfh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\SysWOW64\Kadica32.exe
        
        C:\Windows\system32\Kadica32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Kkmmlgik.exe
        
        C:\Windows\system32\Kkmmlgik.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Kipmhc32.exe
        
        C:\Windows\system32\Kipmhc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Kgcnahoo.exe
        
        C:\Windows\system32\Kgcnahoo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\SysWOW64\Lmmfnb32.exe
        
        C:\Windows\system32\Lmmfnb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 280 -s 140
        12⤵
        Loads dropped DLL
        Program crash
        
        PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Khjgel32.exe

Filesize
57KB

MD5
da82803e87d54f18abbc802963da98b8

SHA1
871ef9aa2aa81013b13f1a37c9fd96d660d663fd

SHA256
86e855cb9b23a23a1ef7aec86787b4fecd9b5d9a0db4a967abfa9492a0127b17

SHA512
4e63fe5417ecf25b32772fa96fed968e21d1b1aa0ce88f336e0b6b6666a266aca91fb20802b46699e4375f59eb80e0dc224df77b36edbe761fa45f01f6c8912d

Download Submit
C:\Windows\SysWOW64\Kipmhc32.exe

Filesize
57KB

MD5
71aec19e881b35392a4f3f357d916a9d

SHA1
9c8ac03e2ef75c85007f3f6ddd9f3512bb155dd2

SHA256
f528a806b5f35ac32ba7725fae5e9451b61343f5f6dfae83ea4a57e4292d1325

SHA512
b078c3a79513e627c0fb5fe36c6ea30fdfe8592c0d5659a68fdb997d71f0c9f7d6547ed180bdec596fe83bfd9af96e8a959a6e4da5468798c5b2a8bda9fa5c33

Download Submit
C:\Windows\SysWOW64\Kkmmlgik.exe

Filesize
57KB

MD5
fd0747fe440667f672cbc95c3fc56700

SHA1
ae03c04bfbee9976cf6a75e0059e6da923c707f2

SHA256
733a70628dc8ebd9e6b377b1d8dba9fb7ab119614f6fc606936ac983c85ee08d

SHA512
cbe8b8de668a99d990889315a7490f1a1b9cec7c69c6656336540eaebb324e343480585df9f89436e2a977a3e5ff5800d431434993e58b4dce950852954beacd

Download Submit
C:\Windows\SysWOW64\Kocpbfei.exe

Filesize
57KB

MD5
7287ed8eea44b3ce98b19168d9a2be21

SHA1
9ed9089836eb6ee3b8f58a17b96710260a00ce8c

SHA256
e37142f25b0a445ae56a00e9f3bf48880077d66a18f28a29b0e85037ece42e39

SHA512
b46e77007d51d8402268043ebdae7d57a0de2a194cd1e4f24f6ef7827cfc6232632f41a30d80faabf9b12e0a4f4f3d596701c3de31b072c222608d2d37f4beef

Download Submit
C:\Windows\SysWOW64\Lmmfnb32.exe

Filesize
57KB

MD5
b0cdb6a4680d416950178a9db95d3069

SHA1
5cb28da6c3e92d8002446fc52cbf201ae3a05a2f

SHA256
36af08233259fdd60dce2a0f1a8a3b548e1d57c72ae309407a6c2b7402bdf485

SHA512
0fccd0f0db4b87ddea4a7421675262dfee0842c9e315db956c4d0f664e2f74455bef8fd87b8193051cfba0a3a844e7801879d4bb2a1dc88b279907c4ddce8c87

Download Submit
\Windows\SysWOW64\Kadica32.exe

Filesize
57KB

MD5
0771cb1b71e8064fb73b298042e4c52d

SHA1
4086dab1374761d01c5ab8f3547baf412e37692d

SHA256
3e21bac79babbb403312d62bac63dbd8b3e78f8277e73f58d65c7ce612756485

SHA512
dc7fac7f9e24838fe4093142ccee24d4a4dfb4f5cd57de87b865f086f5064b509398f9f172dd9b226aa2bb37bc4bd23060d97dd23dbf0e43275661d504740df3

Download Submit
\Windows\SysWOW64\Kdnkdmec.exe

Filesize
57KB

MD5
6a289342caeb7c6458a704ba25fde8e7

SHA1
1501b1ed26b0c91cc843d09a2a7c8c98a6b57ecb

SHA256
aced5220e2a4c8321f4213b6b8bb005042e548691f7e9c8e951b4fb183bd0006

SHA512
565d940464d74a568ed8e05b16ec5491a0b013816afbfeeceefd65e1217940963d8ed88983900b7bb595d4b39bbe838cd54e757913894ba881c2e6ed14e6d44a

Download Submit
\Windows\SysWOW64\Kfodfh32.exe

Filesize
57KB

MD5
59efcb5feecd7e6db0d21470d87462fc

SHA1
0abd8ba823e874b4eb36347ded5da93459aaa919

SHA256
70084b9dbd43ab7ff49b862012038c8120b7d404ad99d31190a8a8d65820ffe7

SHA512
e5120e878cdb2f45695cd5128ab8a565a57298d4f64e9aecc021b8948db9a21fec39bc12807110fcc7afdbaa75b1b3ed486195d09617e1960b1438ab883793f2

Download Submit
\Windows\SysWOW64\Kgcnahoo.exe

Filesize
57KB

MD5
dba0ab523015da310a8fa0e5552fa038

SHA1
b1f06c892433fda7f1cb299dddd025675c40fb71

SHA256
6eb8aa81ec2aaab445ad26c38eabb2bd98c23042b78cdc60ffb43a6934e558ad

SHA512
1d5bac3ef9ae68acf9b8330c50708a2a5c8037743568edef9f618badc9bdc98ba75d9042b0b9a0803bf1856696a477f78a0518813ad9a74e12c0a5047ec79730

Download Submit
\Windows\SysWOW64\Lbjofi32.exe

Filesize
57KB

MD5
4926aebddb0ea5fe207fbcf63339f6be

SHA1
35b4601492ea47db0c40edcebe82f715beb5eed9

SHA256
6e13e001075e1b1266bbf4192da36609a7af8fe66316aff34ab665b4877e565c

SHA512
e65a73733fcb141abf9df5783598c622ef4e9be95340875af50f2648b88a940a129aede7db956a87c75a42563aa16657819e5a96f9859e95a5c2d9bc6175844b

Download Submit
memory/280-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/588-123-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/588-147-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/588-131-0x0000000001F40000-0x0000000001F75000-memory.dmp

Filesize
212KB

Download
memory/1180-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1180-148-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1180-17-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1180-18-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1224-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1224-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1272-115-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1332-149-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1332-48-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1332-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1956-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1956-104-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1956-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2236-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2700-68-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2700-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2700-146-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2728-77-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2728-69-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2728-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-32-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2796-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads