berbew | 9f9851968e8157c01933ab3b283c60a1fdecb2dcb344c26792a06ba625699386

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/12/2024, 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f9851968e8157c01933ab3b283c60a1fdecb2dcb344c26792a06ba625699386N.exe
Size

93KB
MD5

467da0e9616a1ab50ea8075a1bf97e00
SHA1

4a731509b52dac3f7422fdf7504e2a3df41eca3f
SHA256

9f9851968e8157c01933ab3b283c60a1fdecb2dcb344c26792a06ba625699386
SHA512

ccb248518ca12e72bded200eb700863d62d62366ddbdc8ad3c3d669bfc9ad362ecf0cbbbda61fa015964d4ce2f810ccae5b837b6e5a19edc47fdee0ca2c25f5c
SSDEEP

1536:wDQtvaGc3F8Pf+nwJ7O/3BjDirf1DaYfMZRWuLsV+1Z:wDQtCt3en+nwJ7udDirfgYfc0DV+1Z

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	9f9851968e8157c01933ab3b283c60a1fdecb2dcb344c26792a06ba625699386N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clmbddgp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cphndc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cddjebgb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgbfamff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgbfamff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cddjebgb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9f9851968e8157c01933ab3b283c60a1fdecb2dcb344c26792a06ba625699386N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clmbddgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cphndc32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 8 IoCs

pid	Process
2288	Cpfaocal.exe
2812	Cbdnko32.exe
1948	Cinfhigl.exe
2700	Clmbddgp.exe
592	Cphndc32.exe
1572	Cddjebgb.exe
2524	Cgbfamff.exe
2388	Ceegmj32.exe

Loads dropped DLL 20 IoCs

pid	Process
2824	9f9851968e8157c01933ab3b283c60a1fdecb2dcb344c26792a06ba625699386N.exe
2824	9f9851968e8157c01933ab3b283c60a1fdecb2dcb344c26792a06ba625699386N.exe
2288	Cpfaocal.exe
2288	Cpfaocal.exe
2812	Cbdnko32.exe
2812	Cbdnko32.exe
1948	Cinfhigl.exe
1948	Cinfhigl.exe
2700	Clmbddgp.exe
2700	Clmbddgp.exe
592	Cphndc32.exe
592	Cphndc32.exe
1572	Cddjebgb.exe
1572	Cddjebgb.exe
2524	Cgbfamff.exe
2524	Cgbfamff.exe
3024	WerFault.exe
3024	WerFault.exe
3024	WerFault.exe
3024	WerFault.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cgbfamff.exe
File opened for modification	C:\Windows\SysWOW64\Cinfhigl.exe	Cbdnko32.exe
File created	C:\Windows\SysWOW64\Eelloqic.dll	Cinfhigl.exe
File created	C:\Windows\SysWOW64\Cphndc32.exe	Clmbddgp.exe
File created	C:\Windows\SysWOW64\Bhdmagqq.dll	Cphndc32.exe
File opened for modification	C:\Windows\SysWOW64\Cgbfamff.exe	Cddjebgb.exe
File created	C:\Windows\SysWOW64\Lbonaf32.dll	Cddjebgb.exe
File opened for modification	C:\Windows\SysWOW64\Cbdnko32.exe	Cpfaocal.exe
File opened for modification	C:\Windows\SysWOW64\Cphndc32.exe	Clmbddgp.exe
File created	C:\Windows\SysWOW64\Lopdpdmj.dll	Clmbddgp.exe
File opened for modification	C:\Windows\SysWOW64\Cddjebgb.exe	Cphndc32.exe
File created	C:\Windows\SysWOW64\Cgbfamff.exe	Cddjebgb.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cgbfamff.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cgbfamff.exe
File opened for modification	C:\Windows\SysWOW64\Cpfaocal.exe	9f9851968e8157c01933ab3b283c60a1fdecb2dcb344c26792a06ba625699386N.exe
File created	C:\Windows\SysWOW64\Cbdnko32.exe	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Gfpifm32.dll	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Cinfhigl.exe	Cbdnko32.exe
File opened for modification	C:\Windows\SysWOW64\Clmbddgp.exe	Cinfhigl.exe
File created	C:\Windows\SysWOW64\Cddjebgb.exe	Cphndc32.exe
File created	C:\Windows\SysWOW64\Cpfaocal.exe	9f9851968e8157c01933ab3b283c60a1fdecb2dcb344c26792a06ba625699386N.exe
File created	C:\Windows\SysWOW64\Dqcngnae.dll	9f9851968e8157c01933ab3b283c60a1fdecb2dcb344c26792a06ba625699386N.exe
File created	C:\Windows\SysWOW64\Mblnbcjf.dll	Cbdnko32.exe
File created	C:\Windows\SysWOW64\Clmbddgp.exe	Cinfhigl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3024	2388	WerFault.exe	37

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdnko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinfhigl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cphndc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgbfamff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f9851968e8157c01933ab3b283c60a1fdecb2dcb344c26792a06ba625699386N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfaocal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clmbddgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cddjebgb.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	9f9851968e8157c01933ab3b283c60a1fdecb2dcb344c26792a06ba625699386N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll"	9f9851968e8157c01933ab3b283c60a1fdecb2dcb344c26792a06ba625699386N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clmbddgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdmagqq.dll"	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clmbddgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cphndc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfpifm32.dll"	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	9f9851968e8157c01933ab3b283c60a1fdecb2dcb344c26792a06ba625699386N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	9f9851968e8157c01933ab3b283c60a1fdecb2dcb344c26792a06ba625699386N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelloqic.dll"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgbfamff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgbfamff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cgbfamff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	9f9851968e8157c01933ab3b283c60a1fdecb2dcb344c26792a06ba625699386N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mblnbcjf.dll"	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbonaf32.dll"	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	9f9851968e8157c01933ab3b283c60a1fdecb2dcb344c26792a06ba625699386N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopdpdmj.dll"	Clmbddgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cddjebgb.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2288	2824	9f9851968e8157c01933ab3b283c60a1fdecb2dcb344c26792a06ba625699386N.exe	30
PID 2824 wrote to memory of 2288	2824	9f9851968e8157c01933ab3b283c60a1fdecb2dcb344c26792a06ba625699386N.exe	30
PID 2824 wrote to memory of 2288	2824	9f9851968e8157c01933ab3b283c60a1fdecb2dcb344c26792a06ba625699386N.exe	30
PID 2824 wrote to memory of 2288	2824	9f9851968e8157c01933ab3b283c60a1fdecb2dcb344c26792a06ba625699386N.exe	30
PID 2288 wrote to memory of 2812	2288	Cpfaocal.exe	31
PID 2288 wrote to memory of 2812	2288	Cpfaocal.exe	31
PID 2288 wrote to memory of 2812	2288	Cpfaocal.exe	31
PID 2288 wrote to memory of 2812	2288	Cpfaocal.exe	31
PID 2812 wrote to memory of 1948	2812	Cbdnko32.exe	32
PID 2812 wrote to memory of 1948	2812	Cbdnko32.exe	32
PID 2812 wrote to memory of 1948	2812	Cbdnko32.exe	32
PID 2812 wrote to memory of 1948	2812	Cbdnko32.exe	32
PID 1948 wrote to memory of 2700	1948	Cinfhigl.exe	33
PID 1948 wrote to memory of 2700	1948	Cinfhigl.exe	33
PID 1948 wrote to memory of 2700	1948	Cinfhigl.exe	33
PID 1948 wrote to memory of 2700	1948	Cinfhigl.exe	33
PID 2700 wrote to memory of 592	2700	Clmbddgp.exe	34
PID 2700 wrote to memory of 592	2700	Clmbddgp.exe	34
PID 2700 wrote to memory of 592	2700	Clmbddgp.exe	34
PID 2700 wrote to memory of 592	2700	Clmbddgp.exe	34
PID 592 wrote to memory of 1572	592	Cphndc32.exe	35
PID 592 wrote to memory of 1572	592	Cphndc32.exe	35
PID 592 wrote to memory of 1572	592	Cphndc32.exe	35
PID 592 wrote to memory of 1572	592	Cphndc32.exe	35
PID 1572 wrote to memory of 2524	1572	Cddjebgb.exe	36
PID 1572 wrote to memory of 2524	1572	Cddjebgb.exe	36
PID 1572 wrote to memory of 2524	1572	Cddjebgb.exe	36
PID 1572 wrote to memory of 2524	1572	Cddjebgb.exe	36
PID 2524 wrote to memory of 2388	2524	Cgbfamff.exe	37
PID 2524 wrote to memory of 2388	2524	Cgbfamff.exe	37
PID 2524 wrote to memory of 2388	2524	Cgbfamff.exe	37
PID 2524 wrote to memory of 2388	2524	Cgbfamff.exe	37
PID 2388 wrote to memory of 3024	2388	Ceegmj32.exe	38
PID 2388 wrote to memory of 3024	2388	Ceegmj32.exe	38
PID 2388 wrote to memory of 3024	2388	Ceegmj32.exe	38
PID 2388 wrote to memory of 3024	2388	Ceegmj32.exe	38

C:\Users\Admin\AppData\Local\Temp\9f9851968e8157c01933ab3b283c60a1fdecb2dcb344c26792a06ba625699386N.exe
"C:\Users\Admin\AppData\Local\Temp\9f9851968e8157c01933ab3b283c60a1fdecb2dcb344c26792a06ba625699386N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\SysWOW64\Cpfaocal.exe
  C:\Windows\system32\Cpfaocal.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\Cbdnko32.exe
    C:\Windows\system32\Cbdnko32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\Cinfhigl.exe
      C:\Windows\system32\Cinfhigl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1948
    - - C:\Windows\SysWOW64\Clmbddgp.exe
        
        C:\Windows\system32\Clmbddgp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\SysWOW64\Cphndc32.exe
        
        C:\Windows\system32\Cphndc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\Cddjebgb.exe
        
        C:\Windows\system32\Cddjebgb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\Cgbfamff.exe
        
        C:\Windows\system32\Cgbfamff.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 140
        10⤵
        Loads dropped DLL
        Program crash
        
        PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cddjebgb.exe

Filesize
93KB

MD5
871acee513eb553ed9815066d215f93b

SHA1
31684311ca19cf3369257802693d24a04a8cae0e

SHA256
e4ca1e195dcf90428e7e49bc6782fb401014be9c06dbcd595588633b912963f2

SHA512
41447a951ffa44b4c3f413d121f1c3e4275dd20e5b16923972c947414a3d72a6db51ce365930537d01acb23e2e50d3f269d912c861a34466b4fc77955ecaae0e

Download Submit
C:\Windows\SysWOW64\Cgbfamff.exe

Filesize
93KB

MD5
4302ec845caa0a9e2857b1b883882a2a

SHA1
bf03811f02f4531946bd221f85d1d1018ed5880e

SHA256
2cccfe4c27db8fda4be6efeaa627b094b1865623f3e9fc194a0aeb424eab95af

SHA512
f6fe3f06681fa4c2f0b6f292d3a99e76fe05b52fd244f6d73d21d882566af42b1cb755cf757cd0d7cae353f2c460c743abf3b8573e065429a332857c17188601

Download Submit
C:\Windows\SysWOW64\Cinfhigl.exe

Filesize
93KB

MD5
eea919bc104733ea64d4d7dfdb3cb1e7

SHA1
f1cdcb06e27dabbf0979f2f77da974fb8b0ac3b2

SHA256
c84755a1cbffbc288a4ce13d4352d3bc917371b069ff739bd1398b7e41195af5

SHA512
562fe8bb2e4bcc858984e2d872aade170c8cef6a1dda862a68a19803b222eefe6b3fce22d17776a386920a2b32ecb1ca9c9a8f3837315a69a51d888b7d218c59

Download Submit
C:\Windows\SysWOW64\Clmbddgp.exe

Filesize
93KB

MD5
541bdd3546daf3363a75a163aa38e09c

SHA1
945c3585967577ba5caa6b3cc3d9b679a673e415

SHA256
86b8a6b6c542e392497e7ccc5b7d8c6d55c6fffe120c58bbf0ddfe6c0eae82bb

SHA512
a1b21311396166aab3bdf70e1c4dab02bc87a94b09831505e48719db83378a205fd67758eec85d6e472a7227d2ef25adf661437a2aa4dae50aed6ba7e9bf1547

Download Submit
C:\Windows\SysWOW64\Cpfaocal.exe

Filesize
93KB

MD5
4eca1cc16a5403a835177f2f9cef750a

SHA1
f4964ab2fdce65df7b7b01dfffb48faed9c1924f

SHA256
2f6f09c85240d019f72563803e7533fce199792e9a2fa4302e323d172909c17d

SHA512
33c61e826172ac594c7cbee353f7c56b5fababee34ecbb90922cb711e14ef2466d185d3f9d33e78a9171f3f398c9da15c03967c4f5e7a8a2c4518467371cf0c8

Download Submit
C:\Windows\SysWOW64\Cphndc32.exe

Filesize
93KB

MD5
0c340479e2775dd481c19c1a3b455bb8

SHA1
a1c67f3c95a309b5a8d154cf0b18c7fb254e54ff

SHA256
8cadfea0b1e0da84dacb65cf253b85ce33f79c73ff6487494714420fef91a041

SHA512
3bac29f3b3aee0c0935b7812380760273043ea26730cb4fa4472a511132d5a3d41c4ba6ba39d3cfdb3844a00adb9551f17c309547be9ae8fb1defb8c8b8c4f61

Download Submit
\Windows\SysWOW64\Cbdnko32.exe

Filesize
93KB

MD5
0a57989746fd95f978a2c2d3b682ac27

SHA1
b78c48efebdf1fdd1c9f174a6bc333547d6708a0

SHA256
90add50fd2a297b97f46f596135d0f2b94962b19e33d275220b10c3f5bb66d90

SHA512
9ed001de3d4e9cab50b294b74d422e9f1fec9a8ad8eaab379c88de5b1497675fa81f9143e09c3ff7f2dcd44e26773a6b6a5417902dfd4b9cb9ea27c3fcf2c8e8

Download Submit
\Windows\SysWOW64\Ceegmj32.exe

Filesize
93KB

MD5
4bb524a79d32e0976f77e7345869df2e

SHA1
90e37e87986b71ce362b68269dd0acec3599e9d8

SHA256
d4b42472d569bfb07e7995d01da365c6d751d3492a020dd8b539d411bfb0897d

SHA512
a9e74e9216460d69e68f9a8e1a0569eac507300f386bb4f3e0c09ccf71a077d2577b6129d74d91380cc0dd26f2cb1d87eaa34bbc06330f98e52a9d30610abcac

Download Submit
memory/592-79-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/592-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-87-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1948-48-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1948-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-99-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2524-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-61-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2700-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-34-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2812-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-23-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2824-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-24-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads