berbew | 8764f34255057790e8df6002d2fc3d256468f39397c9d5ae0d04410403eb1590

Analysis

max time kernel
94s
max time network
20s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8764f34255057790e8df6002d2fc3d256468f39397c9d5ae0d04410403eb1590N.exe
Size

56KB
MD5

eb4127b3ab5001b0509df69cdce7fdf0
SHA1

961ee4815353a290142f44fa0b2e8a19373c56e0
SHA256

8764f34255057790e8df6002d2fc3d256468f39397c9d5ae0d04410403eb1590
SHA512

ba13fca365c55d3cc648bb6bd4ddc40daed53fd51551163c71cf298b8db68abe7ec9fe8959689a9213c225a1e476de77def4188afb1856d401b8f15c155001e4
SSDEEP

1536:1mYGp/bQWFE7yfGPa5UcPIlTM1C9N93Ih:GbPEOfP5UcPgTM1CLBIh

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8764f34255057790e8df6002d2fc3d256468f39397c9d5ae0d04410403eb1590N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8764f34255057790e8df6002d2fc3d256468f39397c9d5ae0d04410403eb1590N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 10 IoCs

pid	Process
316	Ccmpce32.exe
2292	Cenljmgq.exe
2712	Cfmhdpnc.exe
2940	Cpfmmf32.exe
2580	Cebeem32.exe
2676	Ckmnbg32.exe
2088	Cgcnghpl.exe
2556	Cnmfdb32.exe
2872	Dnpciaef.exe
2296	Dpapaj32.exe

Loads dropped DLL 23 IoCs

pid	Process
2448	8764f34255057790e8df6002d2fc3d256468f39397c9d5ae0d04410403eb1590N.exe
2448	8764f34255057790e8df6002d2fc3d256468f39397c9d5ae0d04410403eb1590N.exe
316	Ccmpce32.exe
316	Ccmpce32.exe
2292	Cenljmgq.exe
2292	Cenljmgq.exe
2712	Cfmhdpnc.exe
2712	Cfmhdpnc.exe
2940	Cpfmmf32.exe
2940	Cpfmmf32.exe
2580	Cebeem32.exe
2580	Cebeem32.exe
2676	Ckmnbg32.exe
2676	Ckmnbg32.exe
2088	Cgcnghpl.exe
2088	Cgcnghpl.exe
2556	Cnmfdb32.exe
2556	Cnmfdb32.exe
2872	Dnpciaef.exe
2872	Dnpciaef.exe
1720	WerFault.exe
1720	WerFault.exe
1720	WerFault.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cebeem32.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	8764f34255057790e8df6002d2fc3d256468f39397c9d5ae0d04410403eb1590N.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Fnbkfl32.dll	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	8764f34255057790e8df6002d2fc3d256468f39397c9d5ae0d04410403eb1590N.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	8764f34255057790e8df6002d2fc3d256468f39397c9d5ae0d04410403eb1590N.exe
File created	C:\Windows\SysWOW64\Aaddfb32.dll	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cfmhdpnc.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Cenljmgq.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1720	2296	WerFault.exe	40

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8764f34255057790e8df6002d2fc3d256468f39397c9d5ae0d04410403eb1590N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	8764f34255057790e8df6002d2fc3d256468f39397c9d5ae0d04410403eb1590N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	8764f34255057790e8df6002d2fc3d256468f39397c9d5ae0d04410403eb1590N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	8764f34255057790e8df6002d2fc3d256468f39397c9d5ae0d04410403eb1590N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	8764f34255057790e8df6002d2fc3d256468f39397c9d5ae0d04410403eb1590N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	8764f34255057790e8df6002d2fc3d256468f39397c9d5ae0d04410403eb1590N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	8764f34255057790e8df6002d2fc3d256468f39397c9d5ae0d04410403eb1590N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dnpciaef.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 316	2448	8764f34255057790e8df6002d2fc3d256468f39397c9d5ae0d04410403eb1590N.exe	31
PID 2448 wrote to memory of 316	2448	8764f34255057790e8df6002d2fc3d256468f39397c9d5ae0d04410403eb1590N.exe	31
PID 2448 wrote to memory of 316	2448	8764f34255057790e8df6002d2fc3d256468f39397c9d5ae0d04410403eb1590N.exe	31
PID 2448 wrote to memory of 316	2448	8764f34255057790e8df6002d2fc3d256468f39397c9d5ae0d04410403eb1590N.exe	31
PID 316 wrote to memory of 2292	316	Ccmpce32.exe	32
PID 316 wrote to memory of 2292	316	Ccmpce32.exe	32
PID 316 wrote to memory of 2292	316	Ccmpce32.exe	32
PID 316 wrote to memory of 2292	316	Ccmpce32.exe	32
PID 2292 wrote to memory of 2712	2292	Cenljmgq.exe	33
PID 2292 wrote to memory of 2712	2292	Cenljmgq.exe	33
PID 2292 wrote to memory of 2712	2292	Cenljmgq.exe	33
PID 2292 wrote to memory of 2712	2292	Cenljmgq.exe	33
PID 2712 wrote to memory of 2940	2712	Cfmhdpnc.exe	34
PID 2712 wrote to memory of 2940	2712	Cfmhdpnc.exe	34
PID 2712 wrote to memory of 2940	2712	Cfmhdpnc.exe	34
PID 2712 wrote to memory of 2940	2712	Cfmhdpnc.exe	34
PID 2940 wrote to memory of 2580	2940	Cpfmmf32.exe	35
PID 2940 wrote to memory of 2580	2940	Cpfmmf32.exe	35
PID 2940 wrote to memory of 2580	2940	Cpfmmf32.exe	35
PID 2940 wrote to memory of 2580	2940	Cpfmmf32.exe	35
PID 2580 wrote to memory of 2676	2580	Cebeem32.exe	36
PID 2580 wrote to memory of 2676	2580	Cebeem32.exe	36
PID 2580 wrote to memory of 2676	2580	Cebeem32.exe	36
PID 2580 wrote to memory of 2676	2580	Cebeem32.exe	36
PID 2676 wrote to memory of 2088	2676	Ckmnbg32.exe	37
PID 2676 wrote to memory of 2088	2676	Ckmnbg32.exe	37
PID 2676 wrote to memory of 2088	2676	Ckmnbg32.exe	37
PID 2676 wrote to memory of 2088	2676	Ckmnbg32.exe	37
PID 2088 wrote to memory of 2556	2088	Cgcnghpl.exe	38
PID 2088 wrote to memory of 2556	2088	Cgcnghpl.exe	38
PID 2088 wrote to memory of 2556	2088	Cgcnghpl.exe	38
PID 2088 wrote to memory of 2556	2088	Cgcnghpl.exe	38
PID 2556 wrote to memory of 2872	2556	Cnmfdb32.exe	39
PID 2556 wrote to memory of 2872	2556	Cnmfdb32.exe	39
PID 2556 wrote to memory of 2872	2556	Cnmfdb32.exe	39
PID 2556 wrote to memory of 2872	2556	Cnmfdb32.exe	39
PID 2872 wrote to memory of 2296	2872	Dnpciaef.exe	40
PID 2872 wrote to memory of 2296	2872	Dnpciaef.exe	40
PID 2872 wrote to memory of 2296	2872	Dnpciaef.exe	40
PID 2872 wrote to memory of 2296	2872	Dnpciaef.exe	40
PID 2296 wrote to memory of 1720	2296	Dpapaj32.exe	41
PID 2296 wrote to memory of 1720	2296	Dpapaj32.exe	41
PID 2296 wrote to memory of 1720	2296	Dpapaj32.exe	41
PID 2296 wrote to memory of 1720	2296	Dpapaj32.exe	41

C:\Users\Admin\AppData\Local\Temp\8764f34255057790e8df6002d2fc3d256468f39397c9d5ae0d04410403eb1590N.exe
"C:\Users\Admin\AppData\Local\Temp\8764f34255057790e8df6002d2fc3d256468f39397c9d5ae0d04410403eb1590N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\SysWOW64\Ccmpce32.exe
  C:\Windows\system32\Ccmpce32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\Cenljmgq.exe
    C:\Windows\system32\Cenljmgq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\SysWOW64\Cfmhdpnc.exe
      C:\Windows\system32\Cfmhdpnc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 144
        12⤵
        Loads dropped DLL
        Program crash
        
        PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
56KB

MD5
7a683ebd967b16028990362cb6224a8d

SHA1
2b75f030bd2feb5046d7912a2e9c1c58e8fd8866

SHA256
69deff81a501390a6abe33ebde68838e5299eb7097d6a745ade560e00b41ec36

SHA512
7522d9b4a453175dbebab070ec66269713d8b0e3631dda8b8018f1e0194d5b1f9e0b6547ad7687bd1f95b37f48a322457c4a41fc42d76c5751fff4c370cbab48

Download Submit
\Windows\SysWOW64\Cebeem32.exe

Filesize
56KB

MD5
652fa31f55675f3c821007b9e04da5e9

SHA1
5142a5de2d1c4986aff24ff80def50f50bf52300

SHA256
9ad0d5262b86cedc0ea92ab06cf25fcdfff4f7842167a7969d246332d7b051c1

SHA512
ce3dfafc6d50f231299c7b594a2aa9dc43fb692846a94510c960e30332e92d2871ad824584598d0b4f2811243ca0b4c99160ac2e1e3ca05932cc567fae626723

Download Submit
\Windows\SysWOW64\Cenljmgq.exe

Filesize
56KB

MD5
64cd112ac4d65d5228a4eef53f6c73e8

SHA1
0da987b3a22742730e0bc3127dde2d3ea4b02ac2

SHA256
a11e6316760de33052fa89d41fd7ad3402ff49d7fb2eb063a72fb8300b398acb

SHA512
9666eafe3597b407542a08aef2c7235037eb67e0eb1623d3c364d6680dbd73a7502635c9dd6b6e65f3529309969d87d574d40969e37b6ff00709bb1c2188819e

Download Submit
\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
56KB

MD5
d7fb52ee16246959b2244307e880e6d8

SHA1
77544c9ef4c0101d2beffd9c1ca442c81a96569a

SHA256
4bd441825c9db3f68bee2d1934f64e58dcbf8c3dfd41f171685fd6294f2e1337

SHA512
1125be31f1cee0946dc7b28401716dca10a9ee98861c4299287690325f21e105d3939000f4d7b46ca0d7e6bdea588e814e8059c9209a8b7b02f5b805712b3908

Download Submit
\Windows\SysWOW64\Cgcnghpl.exe

Filesize
56KB

MD5
1bdb048e272fdd7dc93aaf41e44a624a

SHA1
62361321db2ac8b06ec6eff2e90034bb239fe2e9

SHA256
8f0bd1d0b7e58f05054e978bc0c3f8fd0380c751fe8b84eec49dfdeda686b430

SHA512
edd4e13dbe00cb1f133c62ec609039c18218199fdd60157363c85c1ba6cdd865557d78d604dcebdc20d1602057a20da46a396e3b51593a2b48793d35ab9829ae

Download Submit
\Windows\SysWOW64\Ckmnbg32.exe

Filesize
56KB

MD5
3a6124d9c10e0ba616cbd96f16c31ef2

SHA1
8eeb2f99f13d61fa268ff32ea6073722ca35c11a

SHA256
50174213fc7ab620b3687c4705686d5c3d4a9c5692ef6daea9b0e6ca1573a56d

SHA512
9d743a2915ab9ba78560ab6550e6c42036f45cb4fe0661a6c42899c7a695e11f569bba81ec0c3d3021c6ca5d9d806808a8c5338ea989ac3210fc185409d700a3

Download Submit
\Windows\SysWOW64\Cnmfdb32.exe

Filesize
56KB

MD5
d49edb25c7f75ad9d5ff79bf6a851d4d

SHA1
ee0af17402508dc38a774e2c848c895033d21d8d

SHA256
34c2ff54c0bc9d574ba9942404352b1a588a9156f272a8dac54fdb8b2458b66f

SHA512
6aa2571d5794a3c9d0d29fc405316ca90a6eca47ee707f7a12f76be2526cfaddde4a6776b5ab2f16910a0ac3561b8573480773fcd17bbb64a313739b403fafb3

Download Submit
\Windows\SysWOW64\Cpfmmf32.exe

Filesize
56KB

MD5
29d725976c1b1932226c4bc5c30c20c6

SHA1
2ff98545cc57a7e454ffed96323d22896e8bcffc

SHA256
6126f4c112a04faee3fc2bbef9dbb7124435dacb7d7615eb2c7ae1be812e8db9

SHA512
d6d2a85510bbd33daf763b727318f7ff1550fedb53af19a28858f9c5133944e9014cc8ef6ccce9462d9f79dbd64ddf98a371de0cafe996494b0203c0cf24cfd4

Download Submit
\Windows\SysWOW64\Dnpciaef.exe

Filesize
56KB

MD5
5ba132a658fd7556bdf5969220758a5d

SHA1
697f7c3a39a3e51905db843b095047308ce1f26e

SHA256
8b05186030128b590789243ab6aed4d0402bcac9a482f7d4eceaffed1f5a196e

SHA512
8e11d1b03843a8726d8258f40e4cf98120c0edc1575961cc7bc5df5e1b2e1ed9737e2d25cb91f264482d28c6194b454a52851f0718e07116e1418e7b25efa3a8

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
56KB

MD5
c6517783d5de6e6c3ae42774b485da75

SHA1
1fab978030ebeec4bd847a1ac5e35d1b721afa44

SHA256
a0e7c223350603ba6fb642fcfc1421596593f44e987c1f6758cb801b8cc2f25c

SHA512
8582783b647d42035f4554962e685997268f493dc957ca6a6c18c33cedb507ff33bd6ac0cc43be8583904169288db6696cd2134ca0adbda69d6f0c104657b63d

Download Submit
memory/316-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-103-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2292-34-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2292-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-40-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2292-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-20-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2448-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-17-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2556-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-54-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2712-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-123-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads