berbew | 4bca3806a413c0f44bbc5a92e515c02904056dfd5ed55008054351f304636e9b

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bca3806a413c0f44bbc5a92e515c02904056dfd5ed55008054351f304636e9bN.exe
Size

320KB
MD5

e3b76a347dca8c4b3dd255e6e8404790
SHA1

8391842a0d280409701fccd179fd4e1a4b6ec97d
SHA256

4bca3806a413c0f44bbc5a92e515c02904056dfd5ed55008054351f304636e9b
SHA512

f34bca1f906981f2403a87738be7ee199e4a271553844f6e406dab46646f6bc25be2147db5130705e9fe196d52a59cdd5a60538cced3f1e76f39a23cb064ef45
SSDEEP

6144:h3oNK1HLtpHVILifyeYVDcfflXpX6LRifyi:YcrHyefyeYCdXpXZfyi

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4bca3806a413c0f44bbc5a92e515c02904056dfd5ed55008054351f304636e9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kekkiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjhcag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocpbfei.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kekkiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kenhopmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llepen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4bca3806a413c0f44bbc5a92e515c02904056dfd5ed55008054351f304636e9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kenhopmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcohahpn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjhcag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leikbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leikbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llepen32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 8 IoCs

pid	Process
2212	Kekkiq32.exe
2804	Kjhcag32.exe
2848	Kocpbfei.exe
2820	Kenhopmf.exe
2684	Leikbd32.exe
2492	Llepen32.exe
1788	Lcohahpn.exe
2064	Lepaccmo.exe

Loads dropped DLL 20 IoCs

pid	Process
2524	4bca3806a413c0f44bbc5a92e515c02904056dfd5ed55008054351f304636e9bN.exe
2524	4bca3806a413c0f44bbc5a92e515c02904056dfd5ed55008054351f304636e9bN.exe
2212	Kekkiq32.exe
2212	Kekkiq32.exe
2804	Kjhcag32.exe
2804	Kjhcag32.exe
2848	Kocpbfei.exe
2848	Kocpbfei.exe
2820	Kenhopmf.exe
2820	Kenhopmf.exe
2684	Leikbd32.exe
2684	Leikbd32.exe
2492	Llepen32.exe
2492	Llepen32.exe
1788	Lcohahpn.exe
1788	Lcohahpn.exe
2396	WerFault.exe
2396	WerFault.exe
2396	WerFault.exe
2396	WerFault.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kjhcag32.exe	Kekkiq32.exe
File created	C:\Windows\SysWOW64\Ffakjm32.dll	Kjhcag32.exe
File opened for modification	C:\Windows\SysWOW64\Leikbd32.exe	Kenhopmf.exe
File created	C:\Windows\SysWOW64\Llepen32.exe	Leikbd32.exe
File opened for modification	C:\Windows\SysWOW64\Llepen32.exe	Leikbd32.exe
File opened for modification	C:\Windows\SysWOW64\Lcohahpn.exe	Llepen32.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Lcohahpn.exe
File created	C:\Windows\SysWOW64\Agioom32.dll	4bca3806a413c0f44bbc5a92e515c02904056dfd5ed55008054351f304636e9bN.exe
File created	C:\Windows\SysWOW64\Gpcafifg.dll	Kekkiq32.exe
File opened for modification	C:\Windows\SysWOW64\Kocpbfei.exe	Kjhcag32.exe
File created	C:\Windows\SysWOW64\Mcohhj32.dll	Kenhopmf.exe
File created	C:\Windows\SysWOW64\Mcbniafn.dll	Leikbd32.exe
File created	C:\Windows\SysWOW64\Lcohahpn.exe	Llepen32.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Lcohahpn.exe
File created	C:\Windows\SysWOW64\Kekkiq32.exe	4bca3806a413c0f44bbc5a92e515c02904056dfd5ed55008054351f304636e9bN.exe
File created	C:\Windows\SysWOW64\Kjhcag32.exe	Kekkiq32.exe
File created	C:\Windows\SysWOW64\Kocpbfei.exe	Kjhcag32.exe
File created	C:\Windows\SysWOW64\Jpnghhmn.dll	Kocpbfei.exe
File created	C:\Windows\SysWOW64\Annjfl32.dll	Llepen32.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Lcohahpn.exe
File opened for modification	C:\Windows\SysWOW64\Kekkiq32.exe	4bca3806a413c0f44bbc5a92e515c02904056dfd5ed55008054351f304636e9bN.exe
File created	C:\Windows\SysWOW64\Kenhopmf.exe	Kocpbfei.exe
File opened for modification	C:\Windows\SysWOW64\Kenhopmf.exe	Kocpbfei.exe
File created	C:\Windows\SysWOW64\Leikbd32.exe	Kenhopmf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2396	2064	WerFault.exe	37

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjhcag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocpbfei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leikbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llepen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcohahpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kekkiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kenhopmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4bca3806a413c0f44bbc5a92e515c02904056dfd5ed55008054351f304636e9bN.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcohhj32.dll"	Kenhopmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	4bca3806a413c0f44bbc5a92e515c02904056dfd5ed55008054351f304636e9bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4bca3806a413c0f44bbc5a92e515c02904056dfd5ed55008054351f304636e9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agioom32.dll"	4bca3806a413c0f44bbc5a92e515c02904056dfd5ed55008054351f304636e9bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kekkiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpnghhmn.dll"	Kocpbfei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kenhopmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	4bca3806a413c0f44bbc5a92e515c02904056dfd5ed55008054351f304636e9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kenhopmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Leikbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakjm32.dll"	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	4bca3806a413c0f44bbc5a92e515c02904056dfd5ed55008054351f304636e9bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kocpbfei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4bca3806a413c0f44bbc5a92e515c02904056dfd5ed55008054351f304636e9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Annjfl32.dll"	Llepen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjhcag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kekkiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbniafn.dll"	Leikbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llepen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llepen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpcafifg.dll"	Kekkiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leikbd32.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2212	2524	4bca3806a413c0f44bbc5a92e515c02904056dfd5ed55008054351f304636e9bN.exe	30
PID 2524 wrote to memory of 2212	2524	4bca3806a413c0f44bbc5a92e515c02904056dfd5ed55008054351f304636e9bN.exe	30
PID 2524 wrote to memory of 2212	2524	4bca3806a413c0f44bbc5a92e515c02904056dfd5ed55008054351f304636e9bN.exe	30
PID 2524 wrote to memory of 2212	2524	4bca3806a413c0f44bbc5a92e515c02904056dfd5ed55008054351f304636e9bN.exe	30
PID 2212 wrote to memory of 2804	2212	Kekkiq32.exe	31
PID 2212 wrote to memory of 2804	2212	Kekkiq32.exe	31
PID 2212 wrote to memory of 2804	2212	Kekkiq32.exe	31
PID 2212 wrote to memory of 2804	2212	Kekkiq32.exe	31
PID 2804 wrote to memory of 2848	2804	Kjhcag32.exe	32
PID 2804 wrote to memory of 2848	2804	Kjhcag32.exe	32
PID 2804 wrote to memory of 2848	2804	Kjhcag32.exe	32
PID 2804 wrote to memory of 2848	2804	Kjhcag32.exe	32
PID 2848 wrote to memory of 2820	2848	Kocpbfei.exe	33
PID 2848 wrote to memory of 2820	2848	Kocpbfei.exe	33
PID 2848 wrote to memory of 2820	2848	Kocpbfei.exe	33
PID 2848 wrote to memory of 2820	2848	Kocpbfei.exe	33
PID 2820 wrote to memory of 2684	2820	Kenhopmf.exe	34
PID 2820 wrote to memory of 2684	2820	Kenhopmf.exe	34
PID 2820 wrote to memory of 2684	2820	Kenhopmf.exe	34
PID 2820 wrote to memory of 2684	2820	Kenhopmf.exe	34
PID 2684 wrote to memory of 2492	2684	Leikbd32.exe	35
PID 2684 wrote to memory of 2492	2684	Leikbd32.exe	35
PID 2684 wrote to memory of 2492	2684	Leikbd32.exe	35
PID 2684 wrote to memory of 2492	2684	Leikbd32.exe	35
PID 2492 wrote to memory of 1788	2492	Llepen32.exe	36
PID 2492 wrote to memory of 1788	2492	Llepen32.exe	36
PID 2492 wrote to memory of 1788	2492	Llepen32.exe	36
PID 2492 wrote to memory of 1788	2492	Llepen32.exe	36
PID 1788 wrote to memory of 2064	1788	Lcohahpn.exe	37
PID 1788 wrote to memory of 2064	1788	Lcohahpn.exe	37
PID 1788 wrote to memory of 2064	1788	Lcohahpn.exe	37
PID 1788 wrote to memory of 2064	1788	Lcohahpn.exe	37
PID 2064 wrote to memory of 2396	2064	Lepaccmo.exe	38
PID 2064 wrote to memory of 2396	2064	Lepaccmo.exe	38
PID 2064 wrote to memory of 2396	2064	Lepaccmo.exe	38
PID 2064 wrote to memory of 2396	2064	Lepaccmo.exe	38

C:\Users\Admin\AppData\Local\Temp\4bca3806a413c0f44bbc5a92e515c02904056dfd5ed55008054351f304636e9bN.exe
"C:\Users\Admin\AppData\Local\Temp\4bca3806a413c0f44bbc5a92e515c02904056dfd5ed55008054351f304636e9bN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\Kekkiq32.exe
  C:\Windows\system32\Kekkiq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\Kjhcag32.exe
    C:\Windows\system32\Kjhcag32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\Kocpbfei.exe
      C:\Windows\system32\Kocpbfei.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\SysWOW64\Kenhopmf.exe
        
        C:\Windows\system32\Kenhopmf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Windows\SysWOW64\Leikbd32.exe
        
        C:\Windows\system32\Leikbd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Llepen32.exe
        
        C:\Windows\system32\Llepen32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Lcohahpn.exe
        
        C:\Windows\system32\Lcohahpn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 140
        10⤵
        Loads dropped DLL
        Program crash
        
        PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kekkiq32.exe

Filesize
320KB

MD5
5493cd45f8ed73b30b856f34d39feab1

SHA1
11d49e8c8b5cbbddf253e2a38dcc76b7447b31e3

SHA256
ef5dc65cdae0665a297087178ed32d2d5f8beafbb9ce0788522f90183c31c80f

SHA512
a0516cc9973575ddb34ba1dcb7de4ee1fce6a3c9f68fd6acb68d1913dfefd543ce95683b9e138e47e6602ac513b88ce647ed1e509e50c95cafe4fea46245b2ab

Download Submit
C:\Windows\SysWOW64\Kenhopmf.exe

Filesize
320KB

MD5
27a9a200d5554e422ad9e2d24dcf36ab

SHA1
b70b3469b6a5585e36405af3ceb8ac74016e2773

SHA256
03b6e07b1aacf605562cbf099840d3847189eef1e90da29e7b672b960b2842b1

SHA512
485606eb9082636e8812b3bb59586d9fb90c856bc0ae9b32b47bd08035352989910b4a4039014d15533f8918fe91604234461c28bbccd8557aa78b1ad13aadbf

Download Submit
C:\Windows\SysWOW64\Kjhcag32.exe

Filesize
320KB

MD5
e5d7dccd7d9b6af3728ed43979708b32

SHA1
50c79c3b7dddabb1a04b56f74acb25c5e7f3d1b2

SHA256
dcd9943c0d651cee1da907777cceadf42b927e1de25a98d02de9f9674acf4060

SHA512
788743e9cf882521b01a060dfd1d6866f6b308d05753e3298098c6a693a5dfb765d262e0fe9723b5fa91a6c55c4b07a0a35fbf46ec058fcb69ff7a7c1a740997

Download Submit
C:\Windows\SysWOW64\Lcohahpn.exe

Filesize
320KB

MD5
e4516cb09424b8c0ffc5815e977b89de

SHA1
4f2c9e2d41d8cbf4443b76907cb2e163c6124b9b

SHA256
57e83454884906b642e00f95104572303e8884f34291ef923792359a1eefb060

SHA512
62bcf1b6b8c52705260dc5bae9846440f2c60e90c4d5459787c66aa36b4bcc3174ded3543bfb21bf24c3bf532ee710bfa8f9802f304a1b4ec98fd8a9e7e50e3c

Download Submit
\Windows\SysWOW64\Kocpbfei.exe

Filesize
320KB

MD5
9e40c92a2d8204a8d57c957de398a95d

SHA1
9aab4c41a0df2b269b3264c40dd726f52f2afeb8

SHA256
6623ea75a88f24114b9dd48df09e84f6250c1f267affb532ec4d440c893b2832

SHA512
6127a53c11684cc2e7cb455c03ffd1e58da574ca33ba8847b411ab6c7aa3370f24bc35524d88dbbbc230255c2cda66b8a3c1037b4ea309350b12dbc505522d4a

Download Submit
\Windows\SysWOW64\Leikbd32.exe

Filesize
320KB

MD5
dc7b5e7b66206e97a9be6ca853d0a14c

SHA1
a531047a8527f15a48eda15e2563fd9ce408f8fa

SHA256
b07363d00c7ecae196c0f6adf2c24a9fb3392a5d2e8b16a408f0760a6d5d5d1a

SHA512
4b5875a6a1c9b68225cf9b9b4dd0bf5292b39c67e02f1831d59c4fd98c74b48082744185b87e772ed74ffa36e6ae8d05f1cc9bd7487eca75abc6227bb4439581

Download Submit
\Windows\SysWOW64\Lepaccmo.exe

Filesize
320KB

MD5
a84f592bab70923d40f7598af8492e19

SHA1
9064f9c4410299f57920e306749438112d20c659

SHA256
8765809ee83dd84f674f3075f80f7514a3d23ddb204a6dc6d5cd32540848b801

SHA512
913edcca42da874367a772ab2b57ba0f4d3cc6be9121dfef510df7034819f2976a86cc1d890fc7ff473e77e2885fbf76307ab1739041cdf032c451a2acf378de

Download Submit
\Windows\SysWOW64\Llepen32.exe

Filesize
320KB

MD5
32bc4f209b5d97f50108aea9d5b44abd

SHA1
3cfad19457536d34b5f16fb414ae89b4ef727c9e

SHA256
f6b9cf7742d6eb9f41ea6909ed604efaacb3829fc9593d82224d75782744d4d5

SHA512
3ee68b28099926c4458a8387b94a1feee606a3ef3a72b3ced8c0821010b8ed7b2b4d53285c9eedb4421367dc7a0b6f8c7b84df2e80daefca3693f3587975973d

Download Submit
memory/1788-118-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1788-112-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1788-100-0x0000000000290000-0x00000000002E9000-memory.dmp

Filesize
356KB

Download
memory/2064-107-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2064-129-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2212-31-0x0000000000460000-0x00000000004B9000-memory.dmp

Filesize
356KB

Download
memory/2212-126-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2212-13-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2492-115-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2524-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2524-12-0x0000000002000000-0x0000000002059000-memory.dmp

Filesize
356KB

Download
memory/2524-127-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2684-68-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2684-114-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2684-93-0x0000000000300000-0x0000000000359000-memory.dmp

Filesize
356KB

Download
memory/2684-116-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2804-32-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2804-123-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2820-67-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2820-54-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2820-119-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2820-117-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2848-52-0x0000000000460000-0x00000000004B9000-memory.dmp

Filesize
356KB

Download
memory/2848-122-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2848-120-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2848-53-0x0000000000460000-0x00000000004B9000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads