berbew | 1da67f0a381db27739450a7cf5a22b34fa85820492ac76f2db07c21f5af39d1b

Analysis

max time kernel
74s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1da67f0a381db27739450a7cf5a22b34fa85820492ac76f2db07c21f5af39d1b.exe
Size

81KB
MD5

afa6b307955eece2babf9b7cb5ff2376
SHA1

950c419ec1a4775940fda159b91bf6292cf6f224
SHA256

1da67f0a381db27739450a7cf5a22b34fa85820492ac76f2db07c21f5af39d1b
SHA512

770f3199b63e431e7788abbccab365eac0d7a257092abf6e0e44b0f48b765d019d34a41ff97d2e591053dd21aaf9252123a5453b934bfd6ede64ee623c31b983
SSDEEP

1536:BgvJ6gBIVzjoBm541PJGUNhP6K9M7m4LO++/+1m6KadhYxU33HX0B:SvgYdBLGUNhCK9M/LrCimBaH8UH30B

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfebdm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mldgbcoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nknnnoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1da67f0a381db27739450a7cf5a22b34fa85820492ac76f2db07c21f5af39d1b.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlpngd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfebdm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngqeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmacej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlpngd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mifkfhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mifkfhpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1da67f0a381db27739450a7cf5a22b34fa85820492ac76f2db07c21f5af39d1b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mldgbcoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngqeha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nknnnoph.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmacej32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 9 IoCs

pid	Process
2224	Mlpngd32.exe
2220	Mfebdm32.exe
2168	Mifkfhpa.exe
2180	Mldgbcoe.exe
2252	Ngqeha32.exe
2828	Nknnnoph.exe
2484	Nkqjdo32.exe
2332	Nmacej32.exe
1460	Opblgehg.exe

Loads dropped DLL 22 IoCs

pid	Process
1688	1da67f0a381db27739450a7cf5a22b34fa85820492ac76f2db07c21f5af39d1b.exe
1688	1da67f0a381db27739450a7cf5a22b34fa85820492ac76f2db07c21f5af39d1b.exe
2224	Mlpngd32.exe
2224	Mlpngd32.exe
2220	Mfebdm32.exe
2220	Mfebdm32.exe
2168	Mifkfhpa.exe
2168	Mifkfhpa.exe
2180	Mldgbcoe.exe
2180	Mldgbcoe.exe
2252	Ngqeha32.exe
2252	Ngqeha32.exe
2828	Nknnnoph.exe
2828	Nknnnoph.exe
2484	Nkqjdo32.exe
2484	Nkqjdo32.exe
2332	Nmacej32.exe
2332	Nmacej32.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mlpngd32.exe	1da67f0a381db27739450a7cf5a22b34fa85820492ac76f2db07c21f5af39d1b.exe
File created	C:\Windows\SysWOW64\Ncpkpiaj.dll	1da67f0a381db27739450a7cf5a22b34fa85820492ac76f2db07c21f5af39d1b.exe
File created	C:\Windows\SysWOW64\Pagmlp32.dll	Mfebdm32.exe
File created	C:\Windows\SysWOW64\Cfdiko32.dll	Mifkfhpa.exe
File opened for modification	C:\Windows\SysWOW64\Opblgehg.exe	Nmacej32.exe
File created	C:\Windows\SysWOW64\Fkohmocc.dll	Nknnnoph.exe
File opened for modification	C:\Windows\SysWOW64\Mldgbcoe.exe	Mifkfhpa.exe
File created	C:\Windows\SysWOW64\Nknnnoph.exe	Ngqeha32.exe
File opened for modification	C:\Windows\SysWOW64\Mifkfhpa.exe	Mfebdm32.exe
File created	C:\Windows\SysWOW64\Cmnhge32.dll	Ngqeha32.exe
File created	C:\Windows\SysWOW64\Nmacej32.exe	Nkqjdo32.exe
File created	C:\Windows\SysWOW64\Ahmjfimi.dll	Nmacej32.exe
File opened for modification	C:\Windows\SysWOW64\Mlpngd32.exe	1da67f0a381db27739450a7cf5a22b34fa85820492ac76f2db07c21f5af39d1b.exe
File created	C:\Windows\SysWOW64\Mldgbcoe.exe	Mifkfhpa.exe
File opened for modification	C:\Windows\SysWOW64\Ngqeha32.exe	Mldgbcoe.exe
File created	C:\Windows\SysWOW64\Bghemo32.dll	Mldgbcoe.exe
File opened for modification	C:\Windows\SysWOW64\Nkqjdo32.exe	Nknnnoph.exe
File opened for modification	C:\Windows\SysWOW64\Mfebdm32.exe	Mlpngd32.exe
File created	C:\Windows\SysWOW64\Ngqeha32.exe	Mldgbcoe.exe
File opened for modification	C:\Windows\SysWOW64\Nmacej32.exe	Nkqjdo32.exe
File created	C:\Windows\SysWOW64\Gaegla32.dll	Nkqjdo32.exe
File created	C:\Windows\SysWOW64\Opblgehg.exe	Nmacej32.exe
File created	C:\Windows\SysWOW64\Mfebdm32.exe	Mlpngd32.exe
File opened for modification	C:\Windows\SysWOW64\Nknnnoph.exe	Ngqeha32.exe
File created	C:\Windows\SysWOW64\Nkqjdo32.exe	Nknnnoph.exe
File created	C:\Windows\SysWOW64\Pgcacc32.dll	Mlpngd32.exe
File created	C:\Windows\SysWOW64\Mifkfhpa.exe	Mfebdm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2740	1460	WerFault.exe	38

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1da67f0a381db27739450a7cf5a22b34fa85820492ac76f2db07c21f5af39d1b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlpngd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfebdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngqeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nknnnoph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkqjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opblgehg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mifkfhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mldgbcoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmacej32.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mifkfhpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfebdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nknnnoph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngqeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngqeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghemo32.dll"	Mldgbcoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncpkpiaj.dll"	1da67f0a381db27739450a7cf5a22b34fa85820492ac76f2db07c21f5af39d1b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfebdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmnhge32.dll"	Ngqeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmacej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1da67f0a381db27739450a7cf5a22b34fa85820492ac76f2db07c21f5af39d1b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaegla32.dll"	Nkqjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlpngd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgcacc32.dll"	Mlpngd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mldgbcoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1da67f0a381db27739450a7cf5a22b34fa85820492ac76f2db07c21f5af39d1b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mifkfhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mldgbcoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkohmocc.dll"	Nknnnoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nknnnoph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1da67f0a381db27739450a7cf5a22b34fa85820492ac76f2db07c21f5af39d1b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	1da67f0a381db27739450a7cf5a22b34fa85820492ac76f2db07c21f5af39d1b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlpngd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pagmlp32.dll"	Mfebdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfdiko32.dll"	Mifkfhpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmjfimi.dll"	Nmacej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmacej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1da67f0a381db27739450a7cf5a22b34fa85820492ac76f2db07c21f5af39d1b.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2224	1688	1da67f0a381db27739450a7cf5a22b34fa85820492ac76f2db07c21f5af39d1b.exe	30
PID 1688 wrote to memory of 2224	1688	1da67f0a381db27739450a7cf5a22b34fa85820492ac76f2db07c21f5af39d1b.exe	30
PID 1688 wrote to memory of 2224	1688	1da67f0a381db27739450a7cf5a22b34fa85820492ac76f2db07c21f5af39d1b.exe	30
PID 1688 wrote to memory of 2224	1688	1da67f0a381db27739450a7cf5a22b34fa85820492ac76f2db07c21f5af39d1b.exe	30
PID 2224 wrote to memory of 2220	2224	Mlpngd32.exe	31
PID 2224 wrote to memory of 2220	2224	Mlpngd32.exe	31
PID 2224 wrote to memory of 2220	2224	Mlpngd32.exe	31
PID 2224 wrote to memory of 2220	2224	Mlpngd32.exe	31
PID 2220 wrote to memory of 2168	2220	Mfebdm32.exe	32
PID 2220 wrote to memory of 2168	2220	Mfebdm32.exe	32
PID 2220 wrote to memory of 2168	2220	Mfebdm32.exe	32
PID 2220 wrote to memory of 2168	2220	Mfebdm32.exe	32
PID 2168 wrote to memory of 2180	2168	Mifkfhpa.exe	33
PID 2168 wrote to memory of 2180	2168	Mifkfhpa.exe	33
PID 2168 wrote to memory of 2180	2168	Mifkfhpa.exe	33
PID 2168 wrote to memory of 2180	2168	Mifkfhpa.exe	33
PID 2180 wrote to memory of 2252	2180	Mldgbcoe.exe	34
PID 2180 wrote to memory of 2252	2180	Mldgbcoe.exe	34
PID 2180 wrote to memory of 2252	2180	Mldgbcoe.exe	34
PID 2180 wrote to memory of 2252	2180	Mldgbcoe.exe	34
PID 2252 wrote to memory of 2828	2252	Ngqeha32.exe	35
PID 2252 wrote to memory of 2828	2252	Ngqeha32.exe	35
PID 2252 wrote to memory of 2828	2252	Ngqeha32.exe	35
PID 2252 wrote to memory of 2828	2252	Ngqeha32.exe	35
PID 2828 wrote to memory of 2484	2828	Nknnnoph.exe	36
PID 2828 wrote to memory of 2484	2828	Nknnnoph.exe	36
PID 2828 wrote to memory of 2484	2828	Nknnnoph.exe	36
PID 2828 wrote to memory of 2484	2828	Nknnnoph.exe	36
PID 2484 wrote to memory of 2332	2484	Nkqjdo32.exe	37
PID 2484 wrote to memory of 2332	2484	Nkqjdo32.exe	37
PID 2484 wrote to memory of 2332	2484	Nkqjdo32.exe	37
PID 2484 wrote to memory of 2332	2484	Nkqjdo32.exe	37
PID 2332 wrote to memory of 1460	2332	Nmacej32.exe	38
PID 2332 wrote to memory of 1460	2332	Nmacej32.exe	38
PID 2332 wrote to memory of 1460	2332	Nmacej32.exe	38
PID 2332 wrote to memory of 1460	2332	Nmacej32.exe	38
PID 1460 wrote to memory of 2740	1460	Opblgehg.exe	39
PID 1460 wrote to memory of 2740	1460	Opblgehg.exe	39
PID 1460 wrote to memory of 2740	1460	Opblgehg.exe	39
PID 1460 wrote to memory of 2740	1460	Opblgehg.exe	39

C:\Users\Admin\AppData\Local\Temp\1da67f0a381db27739450a7cf5a22b34fa85820492ac76f2db07c21f5af39d1b.exe
"C:\Users\Admin\AppData\Local\Temp\1da67f0a381db27739450a7cf5a22b34fa85820492ac76f2db07c21f5af39d1b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\Mlpngd32.exe
  C:\Windows\system32\Mlpngd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\Mfebdm32.exe
    C:\Windows\system32\Mfebdm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\SysWOW64\Mifkfhpa.exe
      C:\Windows\system32\Mifkfhpa.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2168
    - - C:\Windows\SysWOW64\Mldgbcoe.exe
        
        C:\Windows\system32\Mldgbcoe.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
      - C:\Windows\SysWOW64\Ngqeha32.exe
        
        C:\Windows\system32\Ngqeha32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Nknnnoph.exe
        
        C:\Windows\system32\Nknnnoph.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Nkqjdo32.exe
        
        C:\Windows\system32\Nkqjdo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Nmacej32.exe
        
        C:\Windows\system32\Nmacej32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Opblgehg.exe
        
        C:\Windows\system32\Opblgehg.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 140
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mfebdm32.exe

Filesize
81KB

MD5
3bb4b17fca0cdc9e8a4b363a0d88e643

SHA1
83d4e477a7ce8b2a0829b157d7b73e1830b60cf2

SHA256
085459c14e5656af7e69032e7c4dfa50b8cebfe58727c95fc2956ab69d919cc3

SHA512
9ff6490ca4c1706ba744eba91f07a23d2ceaa21458f24aea57c9bed4340df43a37f2bf6d2e3b4b35706786a59a1872ba748c68082fcb06ce60f265d1d2f5e47f

Download Submit
C:\Windows\SysWOW64\Mldgbcoe.exe

Filesize
81KB

MD5
8af2b7ce38ee0f5dee1997f2b03b5b1f

SHA1
d344169899b6fdd5f889ad5f699d1ee5aa031e91

SHA256
177273cf9912bb4ec1d17463512d54bf77efa78c3f862e74be1ce8e1d5f144c9

SHA512
74fe29b63ce243d34e21980b4ca9e6a635210151c74d6bc1a4759b3f923927f95d9e208c2d34ae8cd1ebf7fdc1edc2b3d8e6f9f69528fb910a66fb371d479daf

Download Submit
C:\Windows\SysWOW64\Mlpngd32.exe

Filesize
81KB

MD5
de0e303522b5918a0083e81748fe126a

SHA1
4e7a2e3a5b374e40ee722404ac0893daf7db55fb

SHA256
9cb191ab6d6655ab255464762d1ee32c0c8957fc5489d29a1b1b98e4bd9a8e30

SHA512
317c0c283918e71ea6d4fcf9863a3a3f632c3dfac105140609941bcf69f068d509b9ed0d682365f9185537c8822d733e86190686074e8966b7503fef5e461352

Download Submit
\Windows\SysWOW64\Mifkfhpa.exe

Filesize
81KB

MD5
4479da7e64fa6a0d8906ff0b541107ef

SHA1
f08c5ff686cc50cc4f882cd79d4e4e93cba5b778

SHA256
8ba9f861b628713fc688191ac3f79bdf20c5633c5128ec10f75800a11bca5c11

SHA512
6adb451ff93e7bfc89d1c3bec2277a4ab9f45099d4a80f6f0f9a5104994b34c33ec2e36e3271c6a50150874b7fbc07ff2b66a2532a75d6d4f63e37445a5192b8

Download Submit
\Windows\SysWOW64\Ngqeha32.exe

Filesize
81KB

MD5
133cc627734c57cd85ec7936a52294ba

SHA1
7cc03f7bc26bf9bed3e7ca891ebcc457569f0b1f

SHA256
172fcc79653feafe112fc5648db917cd6ed1108acf4909f87bc49b78b43be0a8

SHA512
08f3cdbb5d994a283ba899514ed753e079b3109cf1a1e7e4598a5c13122df8f7ff8f6410bb674210e0952495cbf3804804b71631b5ad70a81a6464b8d737eb63

Download Submit
\Windows\SysWOW64\Nknnnoph.exe

Filesize
81KB

MD5
b956a34684d26f24cff297e8458b6d99

SHA1
0a7c55c7833d93a1067a8bdb90e60a5376d8ec02

SHA256
461349ef6de97804f7b29fc569773cb9339ea671d087a323eff8612672d7a47d

SHA512
51f76cfb3e9bf4c264cdddce1d1f56202cf6c489ce8d957bc7a735fb7f32aee08698779ffb05032df290e4d8b9e0778f8c69d0bbcbdb52894e93c751cf37fc99

Download Submit
\Windows\SysWOW64\Nkqjdo32.exe

Filesize
81KB

MD5
f6e1f4457629628ada21b5b50c84e587

SHA1
18eb22ad74abfd1db801fbdbe2d5aac939e5e1fd

SHA256
75645cf592057569ed75c4af2f4021da8ddb6d7eef9b74a39dc4761b4b29257d

SHA512
72e9d39a432822d9c114b9a2a5d9f5fea9edec79a2d3231a31a69d4d5f24211a1f3a3f0cc99390f2875f2092e00bcf791acf5b02a6877d6f1d038cfe54c661b3

Download Submit
\Windows\SysWOW64\Nmacej32.exe

Filesize
81KB

MD5
6ed8af1adde6bef30b803a9e7bfcaca2

SHA1
bd81206378c6638191a344c404749df29be5913d

SHA256
96d19df44e3176bca25c1d7c81283d088a686919de374e257c54d14fe09b6b08

SHA512
fe49efa86759c9763ba79340ad65c7e69941824f75cd9590ebac2a5e459d7e01e6a115e13e12dee9554cf729a1849795cbe2f77db132904c0c278160f6058017

Download Submit
\Windows\SysWOW64\Opblgehg.exe

Filesize
81KB

MD5
5ca062d1a18328b9dfb6c6323dd0cae6

SHA1
641eeebd8da0a97332baf7dc70aa94856c65dff2

SHA256
09acafa238ba9a58fe5b7b02de3d0080c261aef36f7571a460d968cdda64c89c

SHA512
f5765bb559d6dce99566024dd5c2efdac426a875182e9f7c1a7868f5f462435442c41da5804fae82261702b9b66432512e095c092f2e102deedcab58881c8127

Download Submit
memory/1460-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1688-13-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1688-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1688-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1688-18-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2168-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-68-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2220-46-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2220-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-41-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2220-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-141-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-118-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2332-110-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2484-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2484-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-95-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/2828-89-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/2828-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads