berbew | 42dce8f9f56093b8c2b11314065ba411d44b19cff2350878c7508555c16e37f9

Analysis

max time kernel
93s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42dce8f9f56093b8c2b11314065ba411d44b19cff2350878c7508555c16e37f9.exe
Size

415KB
MD5

fcac13598b4407f83294fd8ceb5cb01c
SHA1

38a0209f751201c37ca6b5749dccad8fd67c099b
SHA256

42dce8f9f56093b8c2b11314065ba411d44b19cff2350878c7508555c16e37f9
SHA512

f5751eb84dd2c445e0c73060dcbe0876b42ea03e8a87ca827a36486d89818d345e798058cb0324436a72d7afae5c7fd3f5778bc4636006449ca6d51e93786e52
SSDEEP

12288:XyZoWj7NtInBBBBBBBBBBBBBBBBBBBBBBBBB0kfBBBBBBBBBBBBBBBBBBBBBBBBL:Oklp

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	42dce8f9f56093b8c2b11314065ba411d44b19cff2350878c7508555c16e37f9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	42dce8f9f56093b8c2b11314065ba411d44b19cff2350878c7508555c16e37f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 10 IoCs

pid	Process
220	Delnin32.exe
2992	Deokon32.exe
3888	Dhmgki32.exe
2172	Dfpgffpm.exe
4804	Dogogcpo.exe
5072	Daekdooc.exe
2084	Dddhpjof.exe
2692	Dgbdlf32.exe
556	Dknpmdfc.exe
1880	Dmllipeg.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	42dce8f9f56093b8c2b11314065ba411d44b19cff2350878c7508555c16e37f9.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	42dce8f9f56093b8c2b11314065ba411d44b19cff2350878c7508555c16e37f9.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	42dce8f9f56093b8c2b11314065ba411d44b19cff2350878c7508555c16e37f9.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe

Program crash 1 IoCs

pid	pid_target	Process
3236	1880	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	42dce8f9f56093b8c2b11314065ba411d44b19cff2350878c7508555c16e37f9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	42dce8f9f56093b8c2b11314065ba411d44b19cff2350878c7508555c16e37f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	42dce8f9f56093b8c2b11314065ba411d44b19cff2350878c7508555c16e37f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	42dce8f9f56093b8c2b11314065ba411d44b19cff2350878c7508555c16e37f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	42dce8f9f56093b8c2b11314065ba411d44b19cff2350878c7508555c16e37f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	42dce8f9f56093b8c2b11314065ba411d44b19cff2350878c7508555c16e37f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	42dce8f9f56093b8c2b11314065ba411d44b19cff2350878c7508555c16e37f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 220	1200	42dce8f9f56093b8c2b11314065ba411d44b19cff2350878c7508555c16e37f9.exe	83
PID 1200 wrote to memory of 220	1200	42dce8f9f56093b8c2b11314065ba411d44b19cff2350878c7508555c16e37f9.exe	83
PID 1200 wrote to memory of 220	1200	42dce8f9f56093b8c2b11314065ba411d44b19cff2350878c7508555c16e37f9.exe	83
PID 220 wrote to memory of 2992	220	Delnin32.exe	84
PID 220 wrote to memory of 2992	220	Delnin32.exe	84
PID 220 wrote to memory of 2992	220	Delnin32.exe	84
PID 2992 wrote to memory of 3888	2992	Deokon32.exe	85
PID 2992 wrote to memory of 3888	2992	Deokon32.exe	85
PID 2992 wrote to memory of 3888	2992	Deokon32.exe	85
PID 3888 wrote to memory of 2172	3888	Dhmgki32.exe	86
PID 3888 wrote to memory of 2172	3888	Dhmgki32.exe	86
PID 3888 wrote to memory of 2172	3888	Dhmgki32.exe	86
PID 2172 wrote to memory of 4804	2172	Dfpgffpm.exe	87
PID 2172 wrote to memory of 4804	2172	Dfpgffpm.exe	87
PID 2172 wrote to memory of 4804	2172	Dfpgffpm.exe	87
PID 4804 wrote to memory of 5072	4804	Dogogcpo.exe	88
PID 4804 wrote to memory of 5072	4804	Dogogcpo.exe	88
PID 4804 wrote to memory of 5072	4804	Dogogcpo.exe	88
PID 5072 wrote to memory of 2084	5072	Daekdooc.exe	89
PID 5072 wrote to memory of 2084	5072	Daekdooc.exe	89
PID 5072 wrote to memory of 2084	5072	Daekdooc.exe	89
PID 2084 wrote to memory of 2692	2084	Dddhpjof.exe	90
PID 2084 wrote to memory of 2692	2084	Dddhpjof.exe	90
PID 2084 wrote to memory of 2692	2084	Dddhpjof.exe	90
PID 2692 wrote to memory of 556	2692	Dgbdlf32.exe	91
PID 2692 wrote to memory of 556	2692	Dgbdlf32.exe	91
PID 2692 wrote to memory of 556	2692	Dgbdlf32.exe	91
PID 556 wrote to memory of 1880	556	Dknpmdfc.exe	92
PID 556 wrote to memory of 1880	556	Dknpmdfc.exe	92
PID 556 wrote to memory of 1880	556	Dknpmdfc.exe	92

C:\Users\Admin\AppData\Local\Temp\42dce8f9f56093b8c2b11314065ba411d44b19cff2350878c7508555c16e37f9.exe
"C:\Users\Admin\AppData\Local\Temp\42dce8f9f56093b8c2b11314065ba411d44b19cff2350878c7508555c16e37f9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\SysWOW64\Delnin32.exe
  C:\Windows\system32\Delnin32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\SysWOW64\Deokon32.exe
    C:\Windows\system32\Deokon32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\SysWOW64\Dhmgki32.exe
      C:\Windows\system32\Dhmgki32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3888
    - - C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
      - C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 396
        12⤵
        Program crash
        
        PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1880 -ip 1880
1⤵
PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daekdooc.exe

Filesize
415KB

MD5
16ba589207ba0c224f752a6961e84e10

SHA1
98b4f5e5f50e591c6057064710647c4ee3ab3066

SHA256
e16733a177f4a43941667a19fa8b8f722041b58765c6b78159a10994d797173e

SHA512
8cfd0cee13f02c2e625081808153358b34f58a84202b4dd1ba6c4c36c364bb4f453a35bf09154e2a4e2861d3ae8cba923529c7e86c3150763d7ab266d3d91285

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
415KB

MD5
ce61fb4568edbb4f60dc270187257780

SHA1
d7ff230e00206e49f37cdc4099c9bed276d8050a

SHA256
7881fa647da8f60a6dc0e49b98d82f05e8a838bfb3458a13b9dd3336d7cb0802

SHA512
6f8089bde262968648c4beae324493f2777c47dddc6e6ff8a4e365b6c98d567cd2c763d36cac3c98ed64bc36712ce01f4e1cfee5fb5ff4baf35df2989f733605

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
415KB

MD5
9a9f3b6def75a7c199fd80343ffbeba6

SHA1
0fed883718cab4a5c6793369e8ea30fd2ddf2976

SHA256
370cfe9453954f423dd8fb93d993cbc912c9cad120b00ea36b6b8b6b92e1bcd4

SHA512
c964ce450b97c5673ad23afa84b5482e823726eba295af80fd154df1c7208f0ade958410c2f37021edeb96d2c90774e967e6806540248074d9ef80eab896fd6e

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
415KB

MD5
b55a5b7d08330ed73d42df01c8e102f6

SHA1
0a9cb05d447dd763e03db3d8d741592fd626aae5

SHA256
fbdb12aad5764ffc9f8d5724819465ecfe4324247677cba1bf2ca13e4f48698a

SHA512
ef05f2f5f53c2eb3062694218e948778f00d2aaea8368f3424d6dc7461fc301396a168d70672a1e60fe8ea732a22c42d880f5b4c2c1cd06d4c82e2d12716875d

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
415KB

MD5
f8217ce1ed6c5aea0a8668e6b4e7cf43

SHA1
5fa2e88aae81e7321aa77e89e784a4da9311eb72

SHA256
854f16f5718acb464df118f2f52f678d68b7c3ccd2f0480867b2dd33dd68a9d8

SHA512
dedc3c36cd21794772b075f9eee444dac951232eb2018b442b7d5abc55ffb1ab318681ce5ab097002755a88f098e00d8b8fff095aa78ac6b4ac0e79b6ece7c7a

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
415KB

MD5
6826555b1074f4ad44c5437386a68969

SHA1
78032091f08675b94e498a0e9d2577fed08a3b6b

SHA256
6c71882d773eec6fe7691be3980add1c71673d75e8f3fbe894fa21eff21a953f

SHA512
278d6f299bdcc770ab2f4253af806145536531294146a1db16fa863cacb265d08a246e70b3ccb0556dfd44409821aa76bed1d3392df54a10a5622c98713b58bb

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
415KB

MD5
d4a81231eeaeea4277b40640aba3a82a

SHA1
0776670328a4e6315d727a3828dfc5260142f094

SHA256
72c5e272941eda63b1237fbb3b010e3eda27d26183c2fb7f23c99400e5e58e2d

SHA512
fdd921b95c69bcc59dd2188ba1e76f179506e06734d42cdd4445b397b8af2e4c73c68983ced7d25bdec9b3001ff83888022abbc340baccec30a1604e15697a40

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
415KB

MD5
0971e628f0b84f7ccdc4027dee6da11a

SHA1
7624ce3587b19a8bddf51adf3faa1e1c855c681d

SHA256
a8bdd993d7c5f4c4fc89071f8b840036010dd14b0e7e86379514f2b0ecc06d6c

SHA512
8add0a127fcb90da39c6d6888405261a7d3292c57148ce79754a8d746f28207c95a85e87e0d22d2a03e59071abb4de539f2171ca1e32dd6db7e21dd41edcd09c

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
415KB

MD5
0212cc62e2e6dff81699cb9a89ceb89d

SHA1
fcc283f1a6e7a728691503cf88e358d4f60ff3f0

SHA256
37d527994cfe2397696786bed6eb4e93c37ada1093f616d3af868e8030740101

SHA512
032952fc8308cf382c689b25590a5cc3eeb89afdc27fb7fdbba718ddb3bb496015761e80e6fa1a7d61e98d5b0d019bc4458b533de5022f459f74d8576b16d4cf

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
415KB

MD5
c2d2bc630289920c63d5337d9c4b5b14

SHA1
1311f5e57f2f2dbd059833ab1a12d55ac9688f7c

SHA256
d69c2386fc84e3f0322d6186d3decfa5aa4ef3d48214a44899e86a1e90f7ddc9

SHA512
44e8a7a3a89ce5149641eb02f32da6faa41d1904bed14deb534d7f8433af4cdf6049379e4a37ef595493ec4fada2641b5596b917accac52e73ffcec864f8ef59

Download Submit
memory/220-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/220-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/556-77-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1200-97-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1200-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1880-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2084-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2172-35-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2172-91-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2692-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2992-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2992-93-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3888-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4804-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4804-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5072-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5072-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads