berbew | 153e2574f7f9fc7b899f58e6fc6eb038f4898391ad7e69f6755a8be1a79e8c9b

Analysis

max time kernel
119s
max time network
21s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/12/2024, 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

153e2574f7f9fc7b899f58e6fc6eb038f4898391ad7e69f6755a8be1a79e8c9bN.exe
Size

74KB
MD5

74ecb9b6aae6190b0ed49e6f877d39b0
SHA1

16496aad935cf1a8898bfe13b1eae52452d90b3a
SHA256

153e2574f7f9fc7b899f58e6fc6eb038f4898391ad7e69f6755a8be1a79e8c9b
SHA512

6d0fae526107eb1abda56ed1392317d502f1f630b8dfcaeb382f83c830d3c12b34e2938863de71bb743d91ad62d69d47c8b23a9d3d2a8aa0977ca99f19be263d
SSDEEP

1536:75E1W+xdj+7H0rdHGBlcvG/Z3+Poxlv8Fx0s4VV66rDvk6n:+1W+eVAG/0gPUj0s4VX5n

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	153e2574f7f9fc7b899f58e6fc6eb038f4898391ad7e69f6755a8be1a79e8c9bN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	153e2574f7f9fc7b899f58e6fc6eb038f4898391ad7e69f6755a8be1a79e8c9bN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cphndc32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 10 IoCs

pid	Process
2736	Bjdplm32.exe
2916	Bfkpqn32.exe
2696	Bmeimhdj.exe
2704	Chkmkacq.exe
536	Ckiigmcd.exe
1588	Cpfaocal.exe
2680	Cbdnko32.exe
1444	Cmjbhh32.exe
1592	Cphndc32.exe
2684	Ceegmj32.exe

Loads dropped DLL 24 IoCs

pid	Process
2844	153e2574f7f9fc7b899f58e6fc6eb038f4898391ad7e69f6755a8be1a79e8c9bN.exe
2844	153e2574f7f9fc7b899f58e6fc6eb038f4898391ad7e69f6755a8be1a79e8c9bN.exe
2736	Bjdplm32.exe
2736	Bjdplm32.exe
2916	Bfkpqn32.exe
2916	Bfkpqn32.exe
2696	Bmeimhdj.exe
2696	Bmeimhdj.exe
2704	Chkmkacq.exe
2704	Chkmkacq.exe
536	Ckiigmcd.exe
536	Ckiigmcd.exe
1588	Cpfaocal.exe
1588	Cpfaocal.exe
2680	Cbdnko32.exe
2680	Cbdnko32.exe
1444	Cmjbhh32.exe
1444	Cmjbhh32.exe
1592	Cphndc32.exe
1592	Cphndc32.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fpcopobi.dll	153e2574f7f9fc7b899f58e6fc6eb038f4898391ad7e69f6755a8be1a79e8c9bN.exe
File created	C:\Windows\SysWOW64\Ckiigmcd.exe	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Pkfaka32.dll	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Cphndc32.exe	Cmjbhh32.exe
File created	C:\Windows\SysWOW64\Cbdnko32.exe	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Cmjbhh32.exe	Cbdnko32.exe
File opened for modification	C:\Windows\SysWOW64\Cmjbhh32.exe	Cbdnko32.exe
File created	C:\Windows\SysWOW64\Ckpfcfnm.dll	Cbdnko32.exe
File created	C:\Windows\SysWOW64\Bjdplm32.exe	153e2574f7f9fc7b899f58e6fc6eb038f4898391ad7e69f6755a8be1a79e8c9bN.exe
File opened for modification	C:\Windows\SysWOW64\Bjdplm32.exe	153e2574f7f9fc7b899f58e6fc6eb038f4898391ad7e69f6755a8be1a79e8c9bN.exe
File opened for modification	C:\Windows\SysWOW64\Cphndc32.exe	Cmjbhh32.exe
File created	C:\Windows\SysWOW64\Bfkpqn32.exe	Bjdplm32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkpqn32.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Oimbjlde.dll	Bfkpqn32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfaocal.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Gfpifm32.dll	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bfkpqn32.exe
File opened for modification	C:\Windows\SysWOW64\Chkmkacq.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Bjpdmqog.dll	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cphndc32.exe
File created	C:\Windows\SysWOW64\Chkmkacq.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Kgfkcnlb.dll	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	Chkmkacq.exe
File opened for modification	C:\Windows\SysWOW64\Cbdnko32.exe	Cpfaocal.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Cpfaocal.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Dqcngnae.dll	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Lopdpdmj.dll	Cmjbhh32.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cphndc32.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cphndc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1956	2684	WerFault.exe	39

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	153e2574f7f9fc7b899f58e6fc6eb038f4898391ad7e69f6755a8be1a79e8c9bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfaocal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdnko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmjbhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cphndc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopdpdmj.dll"	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfaka32.dll"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfkcnlb.dll"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll"	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpfcfnm.dll"	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	153e2574f7f9fc7b899f58e6fc6eb038f4898391ad7e69f6755a8be1a79e8c9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	153e2574f7f9fc7b899f58e6fc6eb038f4898391ad7e69f6755a8be1a79e8c9bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	153e2574f7f9fc7b899f58e6fc6eb038f4898391ad7e69f6755a8be1a79e8c9bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	153e2574f7f9fc7b899f58e6fc6eb038f4898391ad7e69f6755a8be1a79e8c9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	153e2574f7f9fc7b899f58e6fc6eb038f4898391ad7e69f6755a8be1a79e8c9bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcopobi.dll"	153e2574f7f9fc7b899f58e6fc6eb038f4898391ad7e69f6755a8be1a79e8c9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfpifm32.dll"	Cpfaocal.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2736	2844	153e2574f7f9fc7b899f58e6fc6eb038f4898391ad7e69f6755a8be1a79e8c9bN.exe	30
PID 2844 wrote to memory of 2736	2844	153e2574f7f9fc7b899f58e6fc6eb038f4898391ad7e69f6755a8be1a79e8c9bN.exe	30
PID 2844 wrote to memory of 2736	2844	153e2574f7f9fc7b899f58e6fc6eb038f4898391ad7e69f6755a8be1a79e8c9bN.exe	30
PID 2844 wrote to memory of 2736	2844	153e2574f7f9fc7b899f58e6fc6eb038f4898391ad7e69f6755a8be1a79e8c9bN.exe	30
PID 2736 wrote to memory of 2916	2736	Bjdplm32.exe	31
PID 2736 wrote to memory of 2916	2736	Bjdplm32.exe	31
PID 2736 wrote to memory of 2916	2736	Bjdplm32.exe	31
PID 2736 wrote to memory of 2916	2736	Bjdplm32.exe	31
PID 2916 wrote to memory of 2696	2916	Bfkpqn32.exe	32
PID 2916 wrote to memory of 2696	2916	Bfkpqn32.exe	32
PID 2916 wrote to memory of 2696	2916	Bfkpqn32.exe	32
PID 2916 wrote to memory of 2696	2916	Bfkpqn32.exe	32
PID 2696 wrote to memory of 2704	2696	Bmeimhdj.exe	33
PID 2696 wrote to memory of 2704	2696	Bmeimhdj.exe	33
PID 2696 wrote to memory of 2704	2696	Bmeimhdj.exe	33
PID 2696 wrote to memory of 2704	2696	Bmeimhdj.exe	33
PID 2704 wrote to memory of 536	2704	Chkmkacq.exe	34
PID 2704 wrote to memory of 536	2704	Chkmkacq.exe	34
PID 2704 wrote to memory of 536	2704	Chkmkacq.exe	34
PID 2704 wrote to memory of 536	2704	Chkmkacq.exe	34
PID 536 wrote to memory of 1588	536	Ckiigmcd.exe	35
PID 536 wrote to memory of 1588	536	Ckiigmcd.exe	35
PID 536 wrote to memory of 1588	536	Ckiigmcd.exe	35
PID 536 wrote to memory of 1588	536	Ckiigmcd.exe	35
PID 1588 wrote to memory of 2680	1588	Cpfaocal.exe	36
PID 1588 wrote to memory of 2680	1588	Cpfaocal.exe	36
PID 1588 wrote to memory of 2680	1588	Cpfaocal.exe	36
PID 1588 wrote to memory of 2680	1588	Cpfaocal.exe	36
PID 2680 wrote to memory of 1444	2680	Cbdnko32.exe	37
PID 2680 wrote to memory of 1444	2680	Cbdnko32.exe	37
PID 2680 wrote to memory of 1444	2680	Cbdnko32.exe	37
PID 2680 wrote to memory of 1444	2680	Cbdnko32.exe	37
PID 1444 wrote to memory of 1592	1444	Cmjbhh32.exe	38
PID 1444 wrote to memory of 1592	1444	Cmjbhh32.exe	38
PID 1444 wrote to memory of 1592	1444	Cmjbhh32.exe	38
PID 1444 wrote to memory of 1592	1444	Cmjbhh32.exe	38
PID 1592 wrote to memory of 2684	1592	Cphndc32.exe	39
PID 1592 wrote to memory of 2684	1592	Cphndc32.exe	39
PID 1592 wrote to memory of 2684	1592	Cphndc32.exe	39
PID 1592 wrote to memory of 2684	1592	Cphndc32.exe	39
PID 2684 wrote to memory of 1956	2684	Ceegmj32.exe	40
PID 2684 wrote to memory of 1956	2684	Ceegmj32.exe	40
PID 2684 wrote to memory of 1956	2684	Ceegmj32.exe	40
PID 2684 wrote to memory of 1956	2684	Ceegmj32.exe	40

C:\Users\Admin\AppData\Local\Temp\153e2574f7f9fc7b899f58e6fc6eb038f4898391ad7e69f6755a8be1a79e8c9bN.exe
"C:\Users\Admin\AppData\Local\Temp\153e2574f7f9fc7b899f58e6fc6eb038f4898391ad7e69f6755a8be1a79e8c9bN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\SysWOW64\Bjdplm32.exe
  C:\Windows\system32\Bjdplm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\Bfkpqn32.exe
    C:\Windows\system32\Bfkpqn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\Bmeimhdj.exe
      C:\Windows\system32\Bmeimhdj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
      - C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Cpfaocal.exe
        
        C:\Windows\system32\Cpfaocal.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Cbdnko32.exe
        
        C:\Windows\system32\Cbdnko32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Cmjbhh32.exe
        
        C:\Windows\system32\Cmjbhh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Cphndc32.exe
        
        C:\Windows\system32\Cphndc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 140
        12⤵
        Loads dropped DLL
        Program crash
        
        PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bjpdmqog.dll

Filesize
7KB

MD5
e73274b2dbedd56e5af6cffdae83480c

SHA1
0a45a99be4952d72c04d2af958a33d48038c7f65

SHA256
072d3c3dbf06efbeab0451b1c8135b232aace5cae760709198f99092c73c187c

SHA512
f7aa8164c68cef531b7a30baa23d3e485f10d98dbe7f9f95cca4ea985e023cea2df35d8b386aa972fd1e38c39e8f0416dc492ed47b0736ee9b9d50094ba5a810

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
74KB

MD5
db19a2e60c6096d26d06f05c9e8ae142

SHA1
80aea95b6b1a09a334243df79597044bb57cccf0

SHA256
338a06180feeafb05b9b581d7d0b6d5b80f062857ddc6491344a0b49f92325c6

SHA512
9111ad99f637d44077f23519fe0e9f8da8564921d1c0d08f37481ad30e919332f8295c21436d4fd0cb8f41460c2b448e34091f98e45c823a5f4487b051f3e5b6

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
74KB

MD5
b0c73f6774023b77aac6cf500cc0b164

SHA1
9f397abf63a4bd4690a55b9f7a10b54e25e1ce7f

SHA256
15c673090d8b73b6cd407392f2c8b72efca78fae20c6c7d999b3c25025642f9c

SHA512
0d6585b19351f01de66d3ee96219f5f5d056f687a1aaface88ce1414e7f5aa3999d7c9dd51ab492981dac53794762ca6b094f6969396f7adf705e8c5360569be

Download Submit
\Windows\SysWOW64\Bfkpqn32.exe

Filesize
74KB

MD5
e877e5af6c30cc4778bb9b76e3e8fa8e

SHA1
7088a19776f9580391823a4773d42c2654f6f191

SHA256
3ebca29fb04e719fa25e92a6da42454538cff85960f4a6e5b67f8fe9c7a12ffe

SHA512
8cd56d1ef68017936223f3ebde81479ea6add2b283e9b2c48dc277cbb92888eed67c1f822887b74ef1ad3b198042cc1a0de3fc17ec70df974639828d9b2984e5

Download Submit
\Windows\SysWOW64\Bjdplm32.exe

Filesize
74KB

MD5
f31e204f996dfb126c58c87afcb13880

SHA1
1c8a6b524e5c9b6d5ed9b1e7652904df505d752b

SHA256
27d93fdc5cda6f0b59c2dd4c03369f3b6d0e60bc92151411ff0ae6ea3266aea7

SHA512
076b2fc664acfb6525593364a48fcf543011b85516d670e3b53e8245a8813d136bc3b6fa7a72984a3ed9639263a03c199132c1a983565e26cb51242a3e2cb15c

Download Submit
\Windows\SysWOW64\Cbdnko32.exe

Filesize
74KB

MD5
db9aa2ffe99bce2cb0b12ceb65bf9563

SHA1
4da3628b79d25bc4c1409bdce0efb35f7bc87cb6

SHA256
497a7e9919ff9b1e8413401cdbf08830421779a32c2dd85f49f2c4eb423f6e73

SHA512
e24ab189c5e1672f439ac046d80e623c8d562997f84d3975261ba0eaab750fc16821193a0656c9d6ef5ca1f18eb0e6ec75b26bfdd0795d6ef46c1568266c7dd3

Download Submit
\Windows\SysWOW64\Ceegmj32.exe

Filesize
74KB

MD5
a7b9122c1f3b921353da9d030f17647a

SHA1
eca8142a7b428b9e8c3a733ad4ac7f57c8f51205

SHA256
2b3e91a668d30971b62a8e5b072bdd60822cb5573b97817d37551e08966c3a4c

SHA512
1d159a6aeb7c3d54149dad68e9b468197473e4a0c8b76ff935def47c62e93204fadee216ebf7efccac10788984c09b029913055b5f25435776d6afbe049ab044

Download Submit
\Windows\SysWOW64\Ckiigmcd.exe

Filesize
74KB

MD5
92d1b50e1ef60dd8f43ef450ebab6a61

SHA1
a9f687410fd87bc80d204bf4a69b00284b7a98e3

SHA256
d074b835ad372cb07e0105c6ee04584555fedd35149db02fc70538e5a28633c9

SHA512
fe24ea1a0520aaf5d96ba1b98a4fe0fe1815d2a8ad1eaa78d1138a16fb16a60af5220fa4e8436fc85425a0d4c8334d68c2509532405f99aefb26f7e59f3135f4

Download Submit
\Windows\SysWOW64\Cmjbhh32.exe

Filesize
74KB

MD5
29f174c2edc1ecb306292bccbdcf070e

SHA1
d802bc147b47b83c6e26f4b85aba865e36e37c13

SHA256
61fcad2104c8b604d0c3b2cd0c560d0fdb966653acf18ef26e6ba5e5c059089b

SHA512
976c6ed74b57a5cdf45a6df08eb64fd89d6391b4bf6842e905e65105a3b51e6b594389a54a1c72048594fa2c6a6ce86d8f20299d5cc05a47488c15c395ada82d

Download Submit
\Windows\SysWOW64\Cpfaocal.exe

Filesize
74KB

MD5
5ba0afff7ba7dc6505fdc23a7fed389a

SHA1
6e923ef302d0708b50328a73499b791709a19901

SHA256
f9f3c47e3d72000e722c81103178b30596d855ed53787e9cdd6314f595783c7a

SHA512
0bfe71db0018ef2b2a4552c23f18c07ff9ad022f52055b510b59705c64e706a2d66861ae134ab942fe941d4edbade32688d36ead40921f30dd02b34c34bf5986

Download Submit
\Windows\SysWOW64\Cphndc32.exe

Filesize
74KB

MD5
7069eafc5f4ecf4888f80254a66cb084

SHA1
43b73c500318f9102fd103dfcd4f3c782ff1afe9

SHA256
9af01ddb64cd0cb6e49f55ad0484add3177d489c3bee985f9e198a31997cd212

SHA512
eeb2c5791a0aa2ee304430b14fffe8fd123cd380fe88671d37d50710af5020c449b959ac2710c22fd2b6b339e334ab67e71fdf5193c669ae7b3cbee796b536e8

Download Submit
memory/536-149-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/536-68-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1444-108-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1444-145-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1588-81-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1588-147-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1592-121-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1592-142-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2680-94-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2680-148-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2680-102-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/2684-144-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2684-134-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2696-42-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2696-143-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2696-50-0x0000000000310000-0x0000000000347000-memory.dmp

Filesize
220KB

Download
memory/2704-139-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2736-14-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2736-27-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2736-140-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2844-13-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2844-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2844-12-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2844-146-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2916-40-0x00000000002E0000-0x0000000000317000-memory.dmp

Filesize
220KB

Download
memory/2916-141-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2916-28-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads