berbew | 8a5331a12a4d1e11d1fe0c1afb44d9a62b1fd560c610714b4509617e31df8814

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2024, 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a5331a12a4d1e11d1fe0c1afb44d9a62b1fd560c610714b4509617e31df8814.exe
Size

88KB
MD5

ae8cde720f5da210b740d47f00acf447
SHA1

42823c3118b3431bf352cd39e78120fa52e23330
SHA256

8a5331a12a4d1e11d1fe0c1afb44d9a62b1fd560c610714b4509617e31df8814
SHA512

ea365d04bcad5106685af944815d44c51cc928ba957c2c25499e71c23e7c7431993ec23043dd4943c63a59a5c609a30020157208abc6ff40b5ddf44d5f1b795f
SSDEEP

1536:pXMLSwx+4joJ2dOmjJpvG8dI27opJDwsR2qphwkACDaTpeuge5T1Gnouy8b:QSwx+4cmdjJpRSwsR2IVKT12outb

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8a5331a12a4d1e11d1fe0c1afb44d9a62b1fd560c610714b4509617e31df8814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	8a5331a12a4d1e11d1fe0c1afb44d9a62b1fd560c610714b4509617e31df8814.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 11 IoCs

pid	Process
2440	Dobfld32.exe
3248	Delnin32.exe
888	Dhkjej32.exe
2116	Dodbbdbb.exe
980	Daconoae.exe
4788	Ddakjkqi.exe
2400	Dkkcge32.exe
1180	Dmjocp32.exe
2064	Dddhpjof.exe
3252	Dknpmdfc.exe
2648	Dmllipeg.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	8a5331a12a4d1e11d1fe0c1afb44d9a62b1fd560c610714b4509617e31df8814.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	8a5331a12a4d1e11d1fe0c1afb44d9a62b1fd560c610714b4509617e31df8814.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	8a5331a12a4d1e11d1fe0c1afb44d9a62b1fd560c610714b4509617e31df8814.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4348	2648	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a5331a12a4d1e11d1fe0c1afb44d9a62b1fd560c610714b4509617e31df8814.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	8a5331a12a4d1e11d1fe0c1afb44d9a62b1fd560c610714b4509617e31df8814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	8a5331a12a4d1e11d1fe0c1afb44d9a62b1fd560c610714b4509617e31df8814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8a5331a12a4d1e11d1fe0c1afb44d9a62b1fd560c610714b4509617e31df8814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	8a5331a12a4d1e11d1fe0c1afb44d9a62b1fd560c610714b4509617e31df8814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	8a5331a12a4d1e11d1fe0c1afb44d9a62b1fd560c610714b4509617e31df8814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	8a5331a12a4d1e11d1fe0c1afb44d9a62b1fd560c610714b4509617e31df8814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 344 wrote to memory of 2440	344	8a5331a12a4d1e11d1fe0c1afb44d9a62b1fd560c610714b4509617e31df8814.exe	82
PID 344 wrote to memory of 2440	344	8a5331a12a4d1e11d1fe0c1afb44d9a62b1fd560c610714b4509617e31df8814.exe	82
PID 344 wrote to memory of 2440	344	8a5331a12a4d1e11d1fe0c1afb44d9a62b1fd560c610714b4509617e31df8814.exe	82
PID 2440 wrote to memory of 3248	2440	Dobfld32.exe	83
PID 2440 wrote to memory of 3248	2440	Dobfld32.exe	83
PID 2440 wrote to memory of 3248	2440	Dobfld32.exe	83
PID 3248 wrote to memory of 888	3248	Delnin32.exe	84
PID 3248 wrote to memory of 888	3248	Delnin32.exe	84
PID 3248 wrote to memory of 888	3248	Delnin32.exe	84
PID 888 wrote to memory of 2116	888	Dhkjej32.exe	85
PID 888 wrote to memory of 2116	888	Dhkjej32.exe	85
PID 888 wrote to memory of 2116	888	Dhkjej32.exe	85
PID 2116 wrote to memory of 980	2116	Dodbbdbb.exe	86
PID 2116 wrote to memory of 980	2116	Dodbbdbb.exe	86
PID 2116 wrote to memory of 980	2116	Dodbbdbb.exe	86
PID 980 wrote to memory of 4788	980	Daconoae.exe	87
PID 980 wrote to memory of 4788	980	Daconoae.exe	87
PID 980 wrote to memory of 4788	980	Daconoae.exe	87
PID 4788 wrote to memory of 2400	4788	Ddakjkqi.exe	88
PID 4788 wrote to memory of 2400	4788	Ddakjkqi.exe	88
PID 4788 wrote to memory of 2400	4788	Ddakjkqi.exe	88
PID 2400 wrote to memory of 1180	2400	Dkkcge32.exe	89
PID 2400 wrote to memory of 1180	2400	Dkkcge32.exe	89
PID 2400 wrote to memory of 1180	2400	Dkkcge32.exe	89
PID 1180 wrote to memory of 2064	1180	Dmjocp32.exe	90
PID 1180 wrote to memory of 2064	1180	Dmjocp32.exe	90
PID 1180 wrote to memory of 2064	1180	Dmjocp32.exe	90
PID 2064 wrote to memory of 3252	2064	Dddhpjof.exe	91
PID 2064 wrote to memory of 3252	2064	Dddhpjof.exe	91
PID 2064 wrote to memory of 3252	2064	Dddhpjof.exe	91
PID 3252 wrote to memory of 2648	3252	Dknpmdfc.exe	92
PID 3252 wrote to memory of 2648	3252	Dknpmdfc.exe	92
PID 3252 wrote to memory of 2648	3252	Dknpmdfc.exe	92

C:\Users\Admin\AppData\Local\Temp\8a5331a12a4d1e11d1fe0c1afb44d9a62b1fd560c610714b4509617e31df8814.exe
"C:\Users\Admin\AppData\Local\Temp\8a5331a12a4d1e11d1fe0c1afb44d9a62b1fd560c610714b4509617e31df8814.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:344
- C:\Windows\SysWOW64\Dobfld32.exe
  C:\Windows\system32\Dobfld32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\Delnin32.exe
    C:\Windows\system32\Delnin32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Windows\SysWOW64\Dhkjej32.exe
      C:\Windows\system32\Dhkjej32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:888
    - - C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
      - C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 408
        13⤵
        Program crash
        
        PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2648 -ip 2648
1⤵
PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daconoae.exe

Filesize
88KB

MD5
e68defbf78a01704c98689fe873fd4a3

SHA1
c0d3f8cceb60894a1b7346dfd8b481a1899770f7

SHA256
6cd722e068b356c395b0169e0927acabcd40f863049c840b283698537a8d4c1b

SHA512
2e2bec608432b71e4e601355bced74dc6ec35630498d96c361e47503788998ef4626df9dbb0dca63c842a1efbf4a4bcd0bbc1e7e4fb08a796c937e0f1b415a95

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
88KB

MD5
425c0f32cce7885c96e23db4ad73f254

SHA1
06cbd1d2f9a13a1f6fa13d401f4ace9199425aa7

SHA256
98ada3aa9a9eb88e6d6c3ea82868be23e1394e1b91983f2e7b4be885b7fa7cd0

SHA512
c69450191a046ede36bc38d00c2d7b76e91ec282f4ad4031ab5908f868b3a3159a96aad4d73a4b438d1ba6b078f3e84e73b331b5f678cda0954de93c88b00f45

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
88KB

MD5
c6ba169262e5c3ee4b350d509cc83711

SHA1
c2d91d3a20a3f948ce5853c194de34447a7f9130

SHA256
164d98ed3fe7555e6bad7f4f031c3bd7384691b77f128e6365fd67f9d4dd2080

SHA512
472357f649be4d11bc070dc68b05304a1c1a30b53e5e11e4821d26c14354e9b458c12bf6462fd75e871cb3b8ec1e0a1b21b50e47db22b7356562fdb0a0aa8d25

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
88KB

MD5
2d196f14674578b9eb1b5123250a7d66

SHA1
b9d5b835889f306058fc06bf89d00e68398bd8a2

SHA256
92a41795fe1bd7ab5d7f6bc737de1fa188a640295673dcc261bbe626bf54a303

SHA512
3e508277241b4a7cb951aaf9ccf464e9a3999631308a48470fa05bf831fa7260c8edac4f159f8217ebc93902892d631ef36b099fefe0a63d53182ce0bbf20488

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
88KB

MD5
752d535a0c555422b3eee3df5c2622ad

SHA1
a9554595c86f15b6ab47d47b98f76bdd8b7ce164

SHA256
c90a4c8fcc9baac167cfd0931357ae9feeb8836aa7697f9c2c8e22fa3968be8b

SHA512
3e2a8f44b0a9c62642950de59a4a91102070f8fd30c7a38fc2fc1da394e0c9060a85a05ddf4ff4dd4100ef511f0f810deaee86a126ed80817d23380d09c1f029

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
88KB

MD5
10a9f948f8614f4d01fba59bf1d887ec

SHA1
27cc6b380fc490b435f49902d1a81252e5d254c5

SHA256
1afd95b9aa346e97c84db0f05dce91bd32615a4d093e012361be2737630c5d39

SHA512
f3cc921c226c8436f06cc321b6c25543556f3f93272e1bccd8f3303d3f6d9c025a0d642b4e543a4dcaeabb371f52e44703ae42e4dcd1f536ee1179cf1cdd5fdf

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
88KB

MD5
234685cee9900ff1dfe1085caa2014be

SHA1
63bd68f231b09fe4f5b126dfcd64f723c7c06466

SHA256
4a33a46aa7bc73efba4b296be85c563c96080abd44579a54f9fecec81ba2897f

SHA512
4e2249f821b227d05929ed125ea8b6ef33e7dcbfadb2a0659041fe797a5e90974e2d689c6875ff2f9485b782c2590c8893cea261d6f652d30fda92958daaa4c5

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
88KB

MD5
e94d2cf0eb9ef5b59eb0c385e80302f7

SHA1
5152c5352f3187699f0d34785c30c8de4857ccf4

SHA256
84a7338574b4a18f2468a043a00b297ede664a3fa5c59900cb8bdbb432656636

SHA512
8823a4d4df42809839979f74f1c6edb12e4225e3520ac18f9612fb168487804dca0f891daacfd42c4747e566326e3a13c305829e7281ebfbad234982486169c3

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
88KB

MD5
1e37c7c5237d49dd55e820aaafb3410a

SHA1
dec0f0ac3f05bbf2a9f62b1a2bd4a624639d4fd5

SHA256
b4d91438c2c515de5931542b9587d13026452c79d05873423c3635b0666f0ae7

SHA512
b5e29ffc575dcab0bb46c19f950823cf61d5f85feb74f97b5b5b7c216f5480556672996b8b5ce5a427f65ac3aafc8235fead855e117e993cfe912458e04db28d

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
88KB

MD5
f7b5b0e94dd1435d5c8a44530697965d

SHA1
23de72662e7453ca4fcd348b2ba4a0b6728f9473

SHA256
07d2d56f816e3d33d58a032d6eb3b35709a3ef549f1ba1d03c2bfe53828bd4ae

SHA512
355bd5810229a60b0a3604a1d09e5a3a193c740a8bfa9bc00c06a7f4d193f0dfd5daea081bd25cb82486304323c1cdf309f6ea080fe0f8585632b8da291e1edd

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
88KB

MD5
4edda82a3d98d1a0fbc8d64d409dd89b

SHA1
d28d068d5de002016e96b693ac1b2d8ac8496e4e

SHA256
b6ffd3a74226fbe7f2e18bf2c68872a1b00318b75aeb35a66fc9f59c78e3d9a3

SHA512
0e7df717e7270d44252108b790552fffe5b794e1add70ba74d5be0037674b74c3c8eb0b4a20fe87192ecf4d7579e04632c7fe44ce19c809cac165636cc5d9d93

Download Submit
C:\Windows\SysWOW64\Oammoc32.dll

Filesize
7KB

MD5
591cfc51e959bb6b004cc0ef2bfa0bc6

SHA1
5d2acfa88803905736dd3d1375a8732bf7def631

SHA256
b8f74ecf1b51ba6c0fb5533c0ab70e57805964f047f2e40cc6ea33226537e8b8

SHA512
0ab5832f70963ff095c0e0401b3e9ee0bdd6dd2fb661b262a63c8b3c5619866dfa2e64ebcabe345fddccbb2c4b364907ffb8b1ee7961bbb43f6edf9d6a8d5ef1

Download Submit
memory/344-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/344-110-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/888-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/888-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/980-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/980-101-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-94-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-93-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2116-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2116-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2440-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2440-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3248-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3248-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4788-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4788-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads