berbew | 9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683

Analysis

max time kernel
23s
max time network
17s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683N.exe
Size

71KB
MD5

940bac052e82672bed9822d7e1a0ac80
SHA1

654373261b3f5a205b257b2dc2422ea493169872
SHA256

9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683
SHA512

168bc5ba7bb3671861e6096acef8c28755de82e8434061802e3b39a40a97d1728cb09ec5df4c940d2ab4b1c2b9d59fac8882cc4021b00fb93e4dc1a98438b51c
SSDEEP

1536:rYjYk6gAZ27AN6lRMCSlRXO3m++WXrHsRQyDbEyRCRRRoR4Rk:rYa20klibebDrMesEy032ya

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Bfkpqn32.exeCmgechbh.exeCpfaocal.exeCbdnko32.exeCmjbhh32.exe9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683N.exeBobhal32.exeChkmkacq.exeCklfll32.exeCgbfamff.exeCkiigmcd.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cklfll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgbfamff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgbfamff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklfll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckiigmcd.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 11 IoCs

Processes:

Bfkpqn32.exeBobhal32.exeChkmkacq.exeCkiigmcd.exeCmgechbh.exeCpfaocal.exeCbdnko32.exeCklfll32.exeCmjbhh32.exeCgbfamff.exeCeegmj32.exe

pid	Process
2816	Bfkpqn32.exe
2696	Bobhal32.exe
2772	Chkmkacq.exe
2724	Ckiigmcd.exe
2512	Cmgechbh.exe
1988	Cpfaocal.exe
2428	Cbdnko32.exe
1712	Cklfll32.exe
3008	Cmjbhh32.exe
1424	Cgbfamff.exe
3040	Ceegmj32.exe

Loads dropped DLL 26 IoCs

Processes:

9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683N.exeBfkpqn32.exeBobhal32.exeChkmkacq.exeCkiigmcd.exeCmgechbh.exeCpfaocal.exeCbdnko32.exeCklfll32.exeCmjbhh32.exeCgbfamff.exeWerFault.exe

pid	Process
2952	9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683N.exe
2952	9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683N.exe
2816	Bfkpqn32.exe
2816	Bfkpqn32.exe
2696	Bobhal32.exe
2696	Bobhal32.exe
2772	Chkmkacq.exe
2772	Chkmkacq.exe
2724	Ckiigmcd.exe
2724	Ckiigmcd.exe
2512	Cmgechbh.exe
2512	Cmgechbh.exe
1988	Cpfaocal.exe
1988	Cpfaocal.exe
2428	Cbdnko32.exe
2428	Cbdnko32.exe
1712	Cklfll32.exe
1712	Cklfll32.exe
3008	Cmjbhh32.exe
3008	Cmjbhh32.exe
1424	Cgbfamff.exe
1424	Cgbfamff.exe
2840	WerFault.exe
2840	WerFault.exe
2840	WerFault.exe
2840	WerFault.exe

Drops file in System32 directory 33 IoCs

Processes:

Bobhal32.exeChkmkacq.exeCmgechbh.exeCbdnko32.exeCklfll32.exeCmjbhh32.exeBfkpqn32.exeCgbfamff.exeCkiigmcd.exeCpfaocal.exe9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683N.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Chkmkacq.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Bjpdmqog.dll	Chkmkacq.exe
File opened for modification	C:\Windows\SysWOW64\Cpfaocal.exe	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Cklfll32.exe	Cbdnko32.exe
File created	C:\Windows\SysWOW64\Aheefb32.dll	Cbdnko32.exe
File created	C:\Windows\SysWOW64\Ckpfcfnm.dll	Cklfll32.exe
File opened for modification	C:\Windows\SysWOW64\Cgbfamff.exe	Cmjbhh32.exe
File opened for modification	C:\Windows\SysWOW64\Bobhal32.exe	Bfkpqn32.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cgbfamff.exe
File created	C:\Windows\SysWOW64\Kgfkcnlb.dll	Bobhal32.exe
File created	C:\Windows\SysWOW64\Gnnffg32.dll	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Cmjbhh32.exe	Cklfll32.exe
File created	C:\Windows\SysWOW64\Lbonaf32.dll	Cmjbhh32.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cgbfamff.exe
File created	C:\Windows\SysWOW64\Ckiigmcd.exe	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Chkmkacq.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Cpfaocal.exe	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Cbdnko32.exe	Cpfaocal.exe
File opened for modification	C:\Windows\SysWOW64\Cklfll32.exe	Cbdnko32.exe
File created	C:\Windows\SysWOW64\Imklkg32.dll	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Gfpifm32.dll	Cpfaocal.exe
File opened for modification	C:\Windows\SysWOW64\Cmjbhh32.exe	Cklfll32.exe
File created	C:\Windows\SysWOW64\Bobhal32.exe	Bfkpqn32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkpqn32.exe	9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683N.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Bfkpqn32.exe	9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683N.exe
File created	C:\Windows\SysWOW64\Dqcngnae.dll	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Cmgechbh.exe	Ckiigmcd.exe
File opened for modification	C:\Windows\SysWOW64\Cmgechbh.exe	Ckiigmcd.exe
File opened for modification	C:\Windows\SysWOW64\Cbdnko32.exe	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Cgbfamff.exe	Cmjbhh32.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cgbfamff.exe
File created	C:\Windows\SysWOW64\Pkfaka32.dll	9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683N.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process
2840	3040	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Cgbfamff.exeCkiigmcd.exeCmgechbh.exeCpfaocal.exeCbdnko32.exe9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683N.exeBfkpqn32.exeBobhal32.exeChkmkacq.exeCklfll32.exeCmjbhh32.exeCeegmj32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgbfamff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfaocal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdnko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklfll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmjbhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe

Modifies registry class 36 IoCs

Processes:

9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683N.exeBfkpqn32.exeBobhal32.exeCmgechbh.exeCpfaocal.exeChkmkacq.exeCkiigmcd.exeCbdnko32.exeCklfll32.exeCmjbhh32.exeCgbfamff.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfaka32.dll"	9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfkcnlb.dll"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfpifm32.dll"	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpfcfnm.dll"	Cklfll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cklfll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbonaf32.dll"	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aheefb32.dll"	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll"	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cgbfamff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnffg32.dll"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cklfll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgbfamff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgbfamff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmjbhh32.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

description	pid	Process	procid_target
PID 2952 wrote to memory of 2816	2952	9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683N.exe	30
PID 2952 wrote to memory of 2816	2952	9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683N.exe	30
PID 2952 wrote to memory of 2816	2952	9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683N.exe	30
PID 2952 wrote to memory of 2816	2952	9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683N.exe	30
PID 2816 wrote to memory of 2696	2816	Bfkpqn32.exe	31
PID 2816 wrote to memory of 2696	2816	Bfkpqn32.exe	31
PID 2816 wrote to memory of 2696	2816	Bfkpqn32.exe	31
PID 2816 wrote to memory of 2696	2816	Bfkpqn32.exe	31
PID 2696 wrote to memory of 2772	2696	Bobhal32.exe	32
PID 2696 wrote to memory of 2772	2696	Bobhal32.exe	32
PID 2696 wrote to memory of 2772	2696	Bobhal32.exe	32
PID 2696 wrote to memory of 2772	2696	Bobhal32.exe	32
PID 2772 wrote to memory of 2724	2772	Chkmkacq.exe	33
PID 2772 wrote to memory of 2724	2772	Chkmkacq.exe	33
PID 2772 wrote to memory of 2724	2772	Chkmkacq.exe	33
PID 2772 wrote to memory of 2724	2772	Chkmkacq.exe	33
PID 2724 wrote to memory of 2512	2724	Ckiigmcd.exe	34
PID 2724 wrote to memory of 2512	2724	Ckiigmcd.exe	34
PID 2724 wrote to memory of 2512	2724	Ckiigmcd.exe	34
PID 2724 wrote to memory of 2512	2724	Ckiigmcd.exe	34
PID 2512 wrote to memory of 1988	2512	Cmgechbh.exe	35
PID 2512 wrote to memory of 1988	2512	Cmgechbh.exe	35
PID 2512 wrote to memory of 1988	2512	Cmgechbh.exe	35
PID 2512 wrote to memory of 1988	2512	Cmgechbh.exe	35
PID 1988 wrote to memory of 2428	1988	Cpfaocal.exe	36
PID 1988 wrote to memory of 2428	1988	Cpfaocal.exe	36
PID 1988 wrote to memory of 2428	1988	Cpfaocal.exe	36
PID 1988 wrote to memory of 2428	1988	Cpfaocal.exe	36
PID 2428 wrote to memory of 1712	2428	Cbdnko32.exe	37
PID 2428 wrote to memory of 1712	2428	Cbdnko32.exe	37
PID 2428 wrote to memory of 1712	2428	Cbdnko32.exe	37
PID 2428 wrote to memory of 1712	2428	Cbdnko32.exe	37
PID 1712 wrote to memory of 3008	1712	Cklfll32.exe	38
PID 1712 wrote to memory of 3008	1712	Cklfll32.exe	38
PID 1712 wrote to memory of 3008	1712	Cklfll32.exe	38
PID 1712 wrote to memory of 3008	1712	Cklfll32.exe	38
PID 3008 wrote to memory of 1424	3008	Cmjbhh32.exe	39
PID 3008 wrote to memory of 1424	3008	Cmjbhh32.exe	39
PID 3008 wrote to memory of 1424	3008	Cmjbhh32.exe	39
PID 3008 wrote to memory of 1424	3008	Cmjbhh32.exe	39
PID 1424 wrote to memory of 3040	1424	Cgbfamff.exe	40
PID 1424 wrote to memory of 3040	1424	Cgbfamff.exe	40
PID 1424 wrote to memory of 3040	1424	Cgbfamff.exe	40
PID 1424 wrote to memory of 3040	1424	Cgbfamff.exe	40
PID 3040 wrote to memory of 2840	3040	Ceegmj32.exe	41
PID 3040 wrote to memory of 2840	3040	Ceegmj32.exe	41
PID 3040 wrote to memory of 2840	3040	Ceegmj32.exe	41
PID 3040 wrote to memory of 2840	3040	Ceegmj32.exe	41

C:\Users\Admin\AppData\Local\Temp\9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683N.exe
"C:\Users\Admin\AppData\Local\Temp\9b8f126943aefd5b0af5fe6ddc2385b86dd03461f7e5c0930666b4338ebdd683N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\SysWOW64\Bfkpqn32.exe
  C:\Windows\system32\Bfkpqn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\Bobhal32.exe
    C:\Windows\system32\Bobhal32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\Chkmkacq.exe
      C:\Windows\system32\Chkmkacq.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Cpfaocal.exe
        
        C:\Windows\system32\Cpfaocal.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Cbdnko32.exe
        
        C:\Windows\system32\Cbdnko32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Cklfll32.exe
        
        C:\Windows\system32\Cklfll32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Cmjbhh32.exe
        
        C:\Windows\system32\Cmjbhh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Cgbfamff.exe
        
        C:\Windows\system32\Cgbfamff.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 140
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bobhal32.exe

Filesize
71KB

MD5
0516f6c479b662866a7d2b6aae1c18a6

SHA1
ef4ea702a2121f5b1eab04fb0f584aae0f10e39a

SHA256
6b233c7637c075241050a166a6b5cec57c7f9638f8a297fa589cc9f98582ad91

SHA512
b788bccd94626d72c0ab47e83bb9f1c912439899c6c02a594f19e0833ddc5d55e0d7cbaf5bbd48b57ee48c7f34701a4fd4af054a486d0009ed5f02859d3808dc

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
71KB

MD5
4ea70181f014c56befc9e4c9e691c243

SHA1
bb7cd2002e13429bf3426fe012d0f8b617902668

SHA256
a01af80595a2c17125d26bc91b0fc2167610bb7e575a5490c81e76fea85d0c90

SHA512
07746113eecf23e8d366b7c1836693799f4168e98a57c7571bc70f2036212c4945ed70f9e864564229f1634a1fdec08130ca547399dc7013f3cd476ef9e0cf13

Download Submit
C:\Windows\SysWOW64\Cgbfamff.exe

Filesize
71KB

MD5
6f417d02b777866ce6498168cba529a4

SHA1
0e98e77573c93502aebf8a4302e4b8ad454dd6a4

SHA256
026e681bc6eba6f7f97c5a6ed99ba991b0ebdd164cc927a3b3bc85203924bb32

SHA512
63f855163e4d42a084caecdeadbcd3621625b59b62ca51561f0ee5ae48ab19c1beea8bde59fd9bba1f5482ecc61340935c235c72ed661e18fce904ca5ba09538

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
71KB

MD5
07b2b568eae9a44fc5380648d40994be

SHA1
2e5ec93a1b99eabeca1b609ea659ce1f0be8dcb9

SHA256
b7d63111cfde00f44c19c4e4c2d9f0fa849f5afb64aacdeb0c9227492dc3d246

SHA512
fd695d5a2e5e117eb78c8995e110d5c2fb61f5f09e2cd9b4cfc098d4accc18da135ca2418c3c52728b2c52fe3f6ec9bfa287c35caa8b0ea2899da5bf8e79c662

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
71KB

MD5
19a12d93695ff9a7ec761e725b021f92

SHA1
7f21b5e2e1125ca8f19dcbcc408705b15bdcb0d4

SHA256
32510fe5a905d4ddf4497dd6b35501400bf5b6414d439fc29ee8bae1883d48ec

SHA512
35381e2ab4ec402d37122eefc82a9fb841898d40784116933c73f8eb8455e5cfae1b6a8264fcd5d747b215b7a72b4f9500ae409a47ff8f655f84f4d790ed5e4a

Download Submit
C:\Windows\SysWOW64\Cmjbhh32.exe

Filesize
71KB

MD5
889520d017b8c69400d7e6b68be61841

SHA1
d43877cd160185b1c723b99ac1374d8c835a2246

SHA256
d0929efbe3d5da18cfd1ed78549e1bd8db71cfc3ccea493a1d998b910092bc44

SHA512
04dcaee20b7789116974d3931b9b4a583c39b33517d2d3c3ee5996ced447d4871c53ae845e33c7c8612c3a431451588e7d55cb74ee9636cd9089c67719a810f7

Download Submit
C:\Windows\SysWOW64\Cpfaocal.exe

Filesize
71KB

MD5
be1f9e323fdf6ffe41760909c6425956

SHA1
c02dddc358362e1fe107ab45ac6a8bf1218ef3cc

SHA256
e603dc5b2d53d0d37a0458a2b276534df5d8202f880cbc61a0d502207b0d809d

SHA512
6dc57ddd6e91edc21983c78b900cc85a8424247db53b20e5152c786c3af8ea283a803138bd14d935cb1dcb0fe6c95b3a592e65fca568085b9ea6748a60907072

Download Submit
C:\Windows\SysWOW64\Gnnffg32.dll

Filesize
7KB

MD5
c551eb85ae6ef1c92ba828deacb3806a

SHA1
9a124948128579f5fdffd794903588efcb3b9766

SHA256
28dd48b5e0e474a80e4727d6afd447bb772f9df71e45c8aff4c8f043ca74b347

SHA512
7a1ee2517dc3b569d69126c4934740789838fbda3792ccd720bda3eb1d5a1a362c8e9ec687cae7afd6fd70514594a5da88771dc55830502023e27bed64e4eeb2

Download Submit
\Windows\SysWOW64\Bfkpqn32.exe

Filesize
71KB

MD5
692aae69c0ef9fa0cd3c5ce962930878

SHA1
3761542a8d9c489492ee48f6c7dff6e7df154f5a

SHA256
3fa9950831bbcfe9074a6b0da41c78520aa1f6719c27cde42cf1fd2844b46d38

SHA512
d4f4a0e8414d29889526711cc9fa8c0ee00fe21aec89a1de74a4f1113a5f49d47d4b34731e11f2402124d2f30ccb4375d330ee568cddc689f7678202b6efb3b3

Download Submit
\Windows\SysWOW64\Cbdnko32.exe

Filesize
71KB

MD5
e2b973a623bd04f0928eb8273aa8d600

SHA1
7d30686a5267f0f25f2d093041a8c1456d0ef043

SHA256
8d3e30adf06c288120c750cbf38ad8c768a80760b28b081bbdd1b36dadf0fc3c

SHA512
64d9d87b5454321dcc842795918ed4aba6b608fa416a4bcc1b82101c699e007f0ed3d9e119d169e39278f82002e52c7c74705da81893a5252487658686ba42af

Download Submit
\Windows\SysWOW64\Chkmkacq.exe

Filesize
71KB

MD5
526ea81802fa0ede108f034eb55989d9

SHA1
5f1529b938f0f41de5f123f6c171f8926418bfc6

SHA256
1f4dc2c2d2cf259166f6e38d2390711ad23070fb2410d8a18d37086679d19b5c

SHA512
b73306c7ba2d002c04960cfd2abf0f079a392f66582bab2b69d943d6c9d53244227dcbf3c56ff49b82874524a4e66bf0a25892489616c1ef674de7592014b4fd

Download Submit
\Windows\SysWOW64\Cklfll32.exe

Filesize
71KB

MD5
1511ec3d302c4321d3f453509cd5c15e

SHA1
55131fba04d08ba4abde69f6e8610074a6bc928b

SHA256
6ed9bbe4a44da1a0c4c624ff2d346804af4d088de7aa6886ac781f6e92a6ed81

SHA512
1adb42e465fef0baca4736b6faff51e3fcabda697315e7dad3263fb70efdb1e6fa1c4e3c5cfa0b5bb5cd64a682d740d117b31ad078e215b51e18a87d5fd0a0ca

Download Submit
memory/1424-135-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1424-153-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1424-143-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/1712-119-0x00000000002E0000-0x0000000000319000-memory.dmp

Filesize
228KB

Download
memory/1712-155-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1712-107-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1988-80-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1988-88-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/1988-157-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2428-156-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2428-94-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2512-158-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2512-79-0x0000000000270000-0x00000000002A9000-memory.dmp

Filesize
228KB

Download
memory/2696-34-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2696-160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2696-27-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2724-161-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2724-61-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2772-48-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2772-159-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2816-14-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2816-162-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2952-163-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2952-12-0x00000000002E0000-0x0000000000319000-memory.dmp

Filesize
228KB

Download
memory/2952-13-0x00000000002E0000-0x0000000000319000-memory.dmp

Filesize
228KB

Download
memory/2952-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3008-134-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/3008-121-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3008-154-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3040-164-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download