berbew | ec2a2f33c76c2e75fc48d3b921d4fd9fff32dafbc46d36fd570c3d0aac026e75

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec2a2f33c76c2e75fc48d3b921d4fd9fff32dafbc46d36fd570c3d0aac026e75.exe
Size

71KB
MD5

ca02f94d248c4b880a32a7693786ccc0
SHA1

83b9d79436396fceecd68ef37685dad90693e39a
SHA256

ec2a2f33c76c2e75fc48d3b921d4fd9fff32dafbc46d36fd570c3d0aac026e75
SHA512

d0f0a23cf16214d4a5e76507a8ef026065019b996195f4b8caf95930d0be29e0a68ab3b727e41d2bb6be28f9cd83525affba3bcd0284a922cc1bb259a66f782d
SSDEEP

1536:CVxvk/NRvKV0/V3dKK2O5+qlcOhOORQBDbEyRCRRRoR4Rky:CVxMbvKCNn2OEorBetEy032yay

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	ec2a2f33c76c2e75fc48d3b921d4fd9fff32dafbc46d36fd570c3d0aac026e75.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cphndc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ec2a2f33c76c2e75fc48d3b921d4fd9fff32dafbc46d36fd570c3d0aac026e75.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 10 IoCs

pid	Process
2592	Bdkgocpm.exe
2608	Bmclhi32.exe
2584	Bhhpeafc.exe
2172	Bobhal32.exe
528	Cpceidcn.exe
1308	Cilibi32.exe
2556	Cpfaocal.exe
836	Cinfhigl.exe
2652	Cphndc32.exe
2332	Ceegmj32.exe

Loads dropped DLL 24 IoCs

pid	Process
2908	ec2a2f33c76c2e75fc48d3b921d4fd9fff32dafbc46d36fd570c3d0aac026e75.exe
2908	ec2a2f33c76c2e75fc48d3b921d4fd9fff32dafbc46d36fd570c3d0aac026e75.exe
2592	Bdkgocpm.exe
2592	Bdkgocpm.exe
2608	Bmclhi32.exe
2608	Bmclhi32.exe
2584	Bhhpeafc.exe
2584	Bhhpeafc.exe
2172	Bobhal32.exe
2172	Bobhal32.exe
528	Cpceidcn.exe
528	Cpceidcn.exe
1308	Cilibi32.exe
1308	Cilibi32.exe
2556	Cpfaocal.exe
2556	Cpfaocal.exe
836	Cinfhigl.exe
836	Cinfhigl.exe
2652	Cphndc32.exe
2652	Cphndc32.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cinfhigl.exe	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Lopdpdmj.dll	Cinfhigl.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cphndc32.exe
File created	C:\Windows\SysWOW64\Ndmjqgdd.dll	Bobhal32.exe
File created	C:\Windows\SysWOW64\Cpfaocal.exe	Cilibi32.exe
File created	C:\Windows\SysWOW64\Dqcngnae.dll	Cilibi32.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cphndc32.exe
File created	C:\Windows\SysWOW64\Cpceidcn.exe	Bobhal32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfaocal.exe	Cilibi32.exe
File opened for modification	C:\Windows\SysWOW64\Cphndc32.exe	Cinfhigl.exe
File opened for modification	C:\Windows\SysWOW64\Cpceidcn.exe	Bobhal32.exe
File opened for modification	C:\Windows\SysWOW64\Cilibi32.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Cphndc32.exe	Cinfhigl.exe
File created	C:\Windows\SysWOW64\Fcohbnpe.dll	ec2a2f33c76c2e75fc48d3b921d4fd9fff32dafbc46d36fd570c3d0aac026e75.exe
File created	C:\Windows\SysWOW64\Bmclhi32.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Imklkg32.dll	Bhhpeafc.exe
File opened for modification	C:\Windows\SysWOW64\Bobhal32.exe	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Mblnbcjf.dll	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Opacnnhp.dll	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Bhhpeafc.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Bobhal32.exe	Bhhpeafc.exe
File opened for modification	C:\Windows\SysWOW64\Bdkgocpm.exe	ec2a2f33c76c2e75fc48d3b921d4fd9fff32dafbc46d36fd570c3d0aac026e75.exe
File created	C:\Windows\SysWOW64\Bdkgocpm.exe	ec2a2f33c76c2e75fc48d3b921d4fd9fff32dafbc46d36fd570c3d0aac026e75.exe
File opened for modification	C:\Windows\SysWOW64\Cinfhigl.exe	Cpfaocal.exe
File opened for modification	C:\Windows\SysWOW64\Bmclhi32.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Hgpmbc32.dll	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cphndc32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhpeafc.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Jodjlm32.dll	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Cilibi32.exe	Cpceidcn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2948	2332	WerFault.exe	39

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhpeafc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfaocal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinfhigl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cphndc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec2a2f33c76c2e75fc48d3b921d4fd9fff32dafbc46d36fd570c3d0aac026e75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmclhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cphndc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ec2a2f33c76c2e75fc48d3b921d4fd9fff32dafbc46d36fd570c3d0aac026e75.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cilibi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mblnbcjf.dll"	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	ec2a2f33c76c2e75fc48d3b921d4fd9fff32dafbc46d36fd570c3d0aac026e75.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	ec2a2f33c76c2e75fc48d3b921d4fd9fff32dafbc46d36fd570c3d0aac026e75.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodjlm32.dll"	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cilibi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ec2a2f33c76c2e75fc48d3b921d4fd9fff32dafbc46d36fd570c3d0aac026e75.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	ec2a2f33c76c2e75fc48d3b921d4fd9fff32dafbc46d36fd570c3d0aac026e75.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopdpdmj.dll"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll"	ec2a2f33c76c2e75fc48d3b921d4fd9fff32dafbc46d36fd570c3d0aac026e75.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll"	Bhhpeafc.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2592	2908	ec2a2f33c76c2e75fc48d3b921d4fd9fff32dafbc46d36fd570c3d0aac026e75.exe	30
PID 2908 wrote to memory of 2592	2908	ec2a2f33c76c2e75fc48d3b921d4fd9fff32dafbc46d36fd570c3d0aac026e75.exe	30
PID 2908 wrote to memory of 2592	2908	ec2a2f33c76c2e75fc48d3b921d4fd9fff32dafbc46d36fd570c3d0aac026e75.exe	30
PID 2908 wrote to memory of 2592	2908	ec2a2f33c76c2e75fc48d3b921d4fd9fff32dafbc46d36fd570c3d0aac026e75.exe	30
PID 2592 wrote to memory of 2608	2592	Bdkgocpm.exe	31
PID 2592 wrote to memory of 2608	2592	Bdkgocpm.exe	31
PID 2592 wrote to memory of 2608	2592	Bdkgocpm.exe	31
PID 2592 wrote to memory of 2608	2592	Bdkgocpm.exe	31
PID 2608 wrote to memory of 2584	2608	Bmclhi32.exe	32
PID 2608 wrote to memory of 2584	2608	Bmclhi32.exe	32
PID 2608 wrote to memory of 2584	2608	Bmclhi32.exe	32
PID 2608 wrote to memory of 2584	2608	Bmclhi32.exe	32
PID 2584 wrote to memory of 2172	2584	Bhhpeafc.exe	33
PID 2584 wrote to memory of 2172	2584	Bhhpeafc.exe	33
PID 2584 wrote to memory of 2172	2584	Bhhpeafc.exe	33
PID 2584 wrote to memory of 2172	2584	Bhhpeafc.exe	33
PID 2172 wrote to memory of 528	2172	Bobhal32.exe	34
PID 2172 wrote to memory of 528	2172	Bobhal32.exe	34
PID 2172 wrote to memory of 528	2172	Bobhal32.exe	34
PID 2172 wrote to memory of 528	2172	Bobhal32.exe	34
PID 528 wrote to memory of 1308	528	Cpceidcn.exe	35
PID 528 wrote to memory of 1308	528	Cpceidcn.exe	35
PID 528 wrote to memory of 1308	528	Cpceidcn.exe	35
PID 528 wrote to memory of 1308	528	Cpceidcn.exe	35
PID 1308 wrote to memory of 2556	1308	Cilibi32.exe	36
PID 1308 wrote to memory of 2556	1308	Cilibi32.exe	36
PID 1308 wrote to memory of 2556	1308	Cilibi32.exe	36
PID 1308 wrote to memory of 2556	1308	Cilibi32.exe	36
PID 2556 wrote to memory of 836	2556	Cpfaocal.exe	37
PID 2556 wrote to memory of 836	2556	Cpfaocal.exe	37
PID 2556 wrote to memory of 836	2556	Cpfaocal.exe	37
PID 2556 wrote to memory of 836	2556	Cpfaocal.exe	37
PID 836 wrote to memory of 2652	836	Cinfhigl.exe	38
PID 836 wrote to memory of 2652	836	Cinfhigl.exe	38
PID 836 wrote to memory of 2652	836	Cinfhigl.exe	38
PID 836 wrote to memory of 2652	836	Cinfhigl.exe	38
PID 2652 wrote to memory of 2332	2652	Cphndc32.exe	39
PID 2652 wrote to memory of 2332	2652	Cphndc32.exe	39
PID 2652 wrote to memory of 2332	2652	Cphndc32.exe	39
PID 2652 wrote to memory of 2332	2652	Cphndc32.exe	39
PID 2332 wrote to memory of 2948	2332	Ceegmj32.exe	40
PID 2332 wrote to memory of 2948	2332	Ceegmj32.exe	40
PID 2332 wrote to memory of 2948	2332	Ceegmj32.exe	40
PID 2332 wrote to memory of 2948	2332	Ceegmj32.exe	40

C:\Users\Admin\AppData\Local\Temp\ec2a2f33c76c2e75fc48d3b921d4fd9fff32dafbc46d36fd570c3d0aac026e75.exe
"C:\Users\Admin\AppData\Local\Temp\ec2a2f33c76c2e75fc48d3b921d4fd9fff32dafbc46d36fd570c3d0aac026e75.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\SysWOW64\Bdkgocpm.exe
  C:\Windows\system32\Bdkgocpm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\Bmclhi32.exe
    C:\Windows\system32\Bmclhi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\SysWOW64\Bhhpeafc.exe
      C:\Windows\system32\Bhhpeafc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
      - C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Cpfaocal.exe
        
        C:\Windows\system32\Cpfaocal.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Cinfhigl.exe
        
        C:\Windows\system32\Cinfhigl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\Cphndc32.exe
        
        C:\Windows\system32\Cphndc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 140
        12⤵
        Loads dropped DLL
        Program crash
        
        PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
71KB

MD5
d1d8cabfba90cdc3b256e51e1e00031a

SHA1
86694028063809fc37c195e7b348ba4da1ed18ac

SHA256
03960c034cf5efca4d1e90215d51543ce59c8cee90f3860abd3ad31bfa088d21

SHA512
4ddb00f664fe439f8c2ad45af37435cc1bbe0a63b1978767e42db23b61fb8c76572a4b40b4a4a2967cd3624192b6b0d968977f24f151c2d4618a4974a25e66b2

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
71KB

MD5
a73d98373043355399e7a08b76cf564b

SHA1
812a646a8e92f49f37af18e9154db54050afa55e

SHA256
142aa5d9c8ca281b615457b596fcccc7c0a8750972a68b76ffc36c2df38b183e

SHA512
dc4b21cd364898fcb6d61b1132828c192290ead9b29a985a742c3de7455807eb52bb261e59b89c4d66adffbc648baad4e27f50ed16b130f660b93e80de774385

Download Submit
C:\Windows\SysWOW64\Ndmjqgdd.dll

Filesize
7KB

MD5
68a273381ea6ee3458dfe2b794ae05d3

SHA1
033fd903d0339fb26d40cd823fbc61c86e1d5b1a

SHA256
e33e6305e6720f731da9d12bfc6b1c8232247ad5d98719147029240542d3b374

SHA512
bca9e4a3062930c43812b1ea2fb0de95dc4a661d1ff04b293606131b610caee992e1275d2dad839e4d10ab429383c4da22eaafbfab96e3b36c63f8cd202c3590

Download Submit
\Windows\SysWOW64\Bmclhi32.exe

Filesize
71KB

MD5
6de757d64d64afdaabae606a8d79274b

SHA1
8f7ff0d3c45e023758fc2c213b8a40df68a88d04

SHA256
3f4707828d4dfeece04bf822d9a45a74c6bb6fede0e7a39bd1ac21d767d58cf7

SHA512
f2a05e4abe12fad10029e16b0732d7b5bb53f6b47441ce37fc9ee164d4494c6c4def19ea452d5db898889ff84829a4b75c395e0a4baaca1ec2aa060da517fc82

Download Submit
\Windows\SysWOW64\Bobhal32.exe

Filesize
71KB

MD5
0d3c92ee5ea1ef301175094ed95b94de

SHA1
815214b63414fa622850a0948726afc97c1563e6

SHA256
cb35dbbd76548b8952ac588416ec9fb9fb4ad144de72cb6e248c97dc73599a0b

SHA512
35090f729b33eed38f6f8f9e969e15c5c7249e941a4083e9b9e91584959ace7ef7ce1ec51d6c713a6107e0cffdf18ef95228253b7d5c11780558430370efdbec

Download Submit
\Windows\SysWOW64\Ceegmj32.exe

Filesize
71KB

MD5
58603a096a497c034579ae7562a35e74

SHA1
40c3ea8825f7e0f80ee8df6b68c4553345aab620

SHA256
efb5aeb0bc3b5292c2a0314ccd55247fe074b41ebb5030b6a8370219932b910c

SHA512
6f76be907047f002ae693f12308b1567cb6edd99f9cdfa07f0a7a4ac9531a7444e7e82085b0e940585bc0a2939b7d5dd7778ba58394ddbe1ca64e99d1fbd20ff

Download Submit
\Windows\SysWOW64\Cilibi32.exe

Filesize
71KB

MD5
edf332f01b282f8d81cef44afeea65f3

SHA1
a8f2b3ac4cb9de968a13d329cfcfc7b6b79d3d5e

SHA256
d518359a1c986b4d15913a8d4689fd3691a74a0c0bd49b7fd5cda1fed40679f6

SHA512
b0c339d4a9c3f7e583e159e464e337f07f4d359374041603463bcd637168538ce2e826a54ba3c3a1df823a6cd30230e3f87bf3d9e2d2dc81a2fffbf6e4f16364

Download Submit
\Windows\SysWOW64\Cinfhigl.exe

Filesize
71KB

MD5
da2f934bba5369d45bb9a01100572c4d

SHA1
88504ec86e8df2a624c8b542bb7d134db1dd2263

SHA256
8a89e8dffe49bd5a1a3285601de6f0d2fb046f9e18d6a449a1acaa1b2899bdcb

SHA512
4638be5ce510b7522bf0430a77fc5325ea72aec598dd3827791553f80e7b663273e75d638969c49be7c03cb70627a1d7d6e463fc623f79c140670b6dbbe6a379

Download Submit
\Windows\SysWOW64\Cpceidcn.exe

Filesize
71KB

MD5
3f7c19901fde03ad513122bd452f68c8

SHA1
a6f9b82f7b5337430f23b69499fb83fd553d14c9

SHA256
3b59ed4a6263da0886e8f1dba65442b9f358906bc9667cb32adf64f10788033a

SHA512
2038337caf31dabcee7ffeb6d0c1b2e05c76c34e3cfb31379b8106cc585868a6ae5394a778164e1bb21a10c654f93f08ab575b952cd15b9258e7e37f74733c81

Download Submit
\Windows\SysWOW64\Cpfaocal.exe

Filesize
71KB

MD5
4adc8eae5555491bf5b9b4889757dc0f

SHA1
714ebae60a8f84cd9b050088b2d23a8a5223f168

SHA256
6e777db7d12f5746c3b8a1220b1a92f5c3faf7c4106d5a29728b7bf1ff01dc73

SHA512
5c660c4bc4bc8c78a4dea943e92752a778253f2026d175b82a1399aa3f0124ceebf16abe86f48c02347ee78880a310592d9c8d451103afd2fcff78dc3a312b9d

Download Submit
\Windows\SysWOW64\Cphndc32.exe

Filesize
71KB

MD5
1c9304ccf62d659cd8be802f53a2ee82

SHA1
33a6808ab572e6d1c5aa3c5a5de5f87de633a61b

SHA256
85efd11e4ea74f53b954db86275b9c25a36bcad71bbf9e29430c8419d6729408

SHA512
a11e0a5d82e06f61b45a9b685286a25cf30fde17c8303bdbdb58999fe48ddad6b6af30ca01143143323837cce8fe1ae01f17c346092ecc64e2eafd9eb92ccf11

Download Submit
memory/528-138-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/528-68-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/836-148-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1308-145-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1308-81-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2172-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2332-146-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2556-94-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2556-101-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2556-144-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2584-55-0x0000000000380000-0x00000000003B9000-memory.dmp

Filesize
228KB

Download
memory/2584-49-0x0000000000380000-0x00000000003B9000-memory.dmp

Filesize
228KB

Download
memory/2584-147-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2584-41-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2592-28-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2592-22-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2592-14-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2592-140-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2608-139-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2652-127-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/2652-142-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2652-120-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2908-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2908-12-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/2908-13-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/2908-141-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads