berbew | aa96bb12220307edf69383167f84a3f4b8d03e6ee5efabcd2195af9daef71e8e

Analysis

max time kernel
63s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa96bb12220307edf69383167f84a3f4b8d03e6ee5efabcd2195af9daef71e8eN.exe
Size

2.5MB
MD5

f8281729d115e8bf10ac004115c45bd0
SHA1

b64e677da61b26a128a8640ab2db3b2aa0863123
SHA256

aa96bb12220307edf69383167f84a3f4b8d03e6ee5efabcd2195af9daef71e8e
SHA512

49149d108c824a39f8093b8408a83d9d763bf112571566df0fda3c49dbb6f18d7b4d7b155966e47068b0f72001ad6622a55d7bb207b8e0c72364c1c071ef5589
SSDEEP

12288:QjbkY660JVaw0HBHOehl0oDL/eToo5Li2:ggdVaw0HBFhWof/0o8

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bldpiifb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpmgao32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igpdnlgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Igpdnlgd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphaglgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ciglaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffiepg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfceom32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqamla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egkehllh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gihnkejd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlhfmqge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nickoldp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nifgekbm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	aa96bb12220307edf69383167f84a3f4b8d03e6ee5efabcd2195af9daef71e8eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpmgao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lefikg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjlejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bldpiifb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bphaglgo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gihnkejd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlhfmqge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqamla32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffiepg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nickoldp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nifgekbm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciglaa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipkema32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipkema32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lefikg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjlejl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfceom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	aa96bb12220307edf69383167f84a3f4b8d03e6ee5efabcd2195af9daef71e8eN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbejjfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbejjfek.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egkehllh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieeqpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ieeqpi32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 19 IoCs

pid	Process
576	Bldpiifb.exe
2960	Bphaglgo.exe
3016	Ciglaa32.exe
3012	Dpmgao32.exe
2716	Dbejjfek.exe
2172	Eqamla32.exe
1700	Egkehllh.exe
2284	Ffiepg32.exe
2068	Gihnkejd.exe
3036	Hlhfmqge.exe
2272	Igpdnlgd.exe
2888	Ieeqpi32.exe
2196	Ipkema32.exe
2088	Lefikg32.exe
2416	Mjlejl32.exe
896	Mfceom32.exe
560	Nickoldp.exe
864	Nifgekbm.exe
1640	Opblgehg.exe

Loads dropped DLL 42 IoCs

pid	Process
1096	aa96bb12220307edf69383167f84a3f4b8d03e6ee5efabcd2195af9daef71e8eN.exe
1096	aa96bb12220307edf69383167f84a3f4b8d03e6ee5efabcd2195af9daef71e8eN.exe
576	Bldpiifb.exe
576	Bldpiifb.exe
2960	Bphaglgo.exe
2960	Bphaglgo.exe
3016	Ciglaa32.exe
3016	Ciglaa32.exe
3012	Dpmgao32.exe
3012	Dpmgao32.exe
2716	Dbejjfek.exe
2716	Dbejjfek.exe
2172	Eqamla32.exe
2172	Eqamla32.exe
1700	Egkehllh.exe
1700	Egkehllh.exe
2284	Ffiepg32.exe
2284	Ffiepg32.exe
2068	Gihnkejd.exe
2068	Gihnkejd.exe
3036	Hlhfmqge.exe
3036	Hlhfmqge.exe
2272	Igpdnlgd.exe
2272	Igpdnlgd.exe
2888	Ieeqpi32.exe
2888	Ieeqpi32.exe
2196	Ipkema32.exe
2196	Ipkema32.exe
2088	Lefikg32.exe
2088	Lefikg32.exe
2416	Mjlejl32.exe
2416	Mjlejl32.exe
896	Mfceom32.exe
896	Mfceom32.exe
560	Nickoldp.exe
560	Nickoldp.exe
864	Nifgekbm.exe
864	Nifgekbm.exe
2228	WerFault.exe
2228	WerFault.exe
2228	WerFault.exe
2228	WerFault.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mogllmge.dll	Gihnkejd.exe
File created	C:\Windows\SysWOW64\Ieeqpi32.exe	Igpdnlgd.exe
File opened for modification	C:\Windows\SysWOW64\Opblgehg.exe	Nifgekbm.exe
File opened for modification	C:\Windows\SysWOW64\Eqamla32.exe	Dbejjfek.exe
File created	C:\Windows\SysWOW64\Ffiepg32.exe	Egkehllh.exe
File created	C:\Windows\SysWOW64\Ngppolhf.dll	Dbejjfek.exe
File opened for modification	C:\Windows\SysWOW64\Gihnkejd.exe	Ffiepg32.exe
File created	C:\Windows\SysWOW64\Igpdnlgd.exe	Hlhfmqge.exe
File created	C:\Windows\SysWOW64\Cpgidb32.dll	Lefikg32.exe
File opened for modification	C:\Windows\SysWOW64\Nifgekbm.exe	Nickoldp.exe
File created	C:\Windows\SysWOW64\Opblgehg.exe	Nifgekbm.exe
File created	C:\Windows\SysWOW64\Mokegi32.dll	Bphaglgo.exe
File created	C:\Windows\SysWOW64\Qbegfg32.dll	Ciglaa32.exe
File created	C:\Windows\SysWOW64\Bldpiifb.exe	aa96bb12220307edf69383167f84a3f4b8d03e6ee5efabcd2195af9daef71e8eN.exe
File created	C:\Windows\SysWOW64\Eljgid32.dll	Ieeqpi32.exe
File opened for modification	C:\Windows\SysWOW64\Nickoldp.exe	Mfceom32.exe
File created	C:\Windows\SysWOW64\Heknhioh.dll	Mfceom32.exe
File created	C:\Windows\SysWOW64\Cfjjagic.dll	Bldpiifb.exe
File created	C:\Windows\SysWOW64\Ldcpnjhf.dll	Ffiepg32.exe
File opened for modification	C:\Windows\SysWOW64\Mfceom32.exe	Mjlejl32.exe
File created	C:\Windows\SysWOW64\Ipkema32.exe	Ieeqpi32.exe
File created	C:\Windows\SysWOW64\Lefikg32.exe	Ipkema32.exe
File created	C:\Windows\SysWOW64\Fpdopknp.dll	Igpdnlgd.exe
File created	C:\Windows\SysWOW64\Jhjalgho.dll	Nickoldp.exe
File created	C:\Windows\SysWOW64\Ahmjfimi.dll	Nifgekbm.exe
File opened for modification	C:\Windows\SysWOW64\Dbejjfek.exe	Dpmgao32.exe
File created	C:\Windows\SysWOW64\Gihnkejd.exe	Ffiepg32.exe
File opened for modification	C:\Windows\SysWOW64\Ipkema32.exe	Ieeqpi32.exe
File created	C:\Windows\SysWOW64\Mjlejl32.exe	Lefikg32.exe
File created	C:\Windows\SysWOW64\Nickoldp.exe	Mfceom32.exe
File opened for modification	C:\Windows\SysWOW64\Bphaglgo.exe	Bldpiifb.exe
File opened for modification	C:\Windows\SysWOW64\Ciglaa32.exe	Bphaglgo.exe
File created	C:\Windows\SysWOW64\Ciglaa32.exe	Bphaglgo.exe
File opened for modification	C:\Windows\SysWOW64\Ffiepg32.exe	Egkehllh.exe
File opened for modification	C:\Windows\SysWOW64\Mjlejl32.exe	Lefikg32.exe
File created	C:\Windows\SysWOW64\Nifgekbm.exe	Nickoldp.exe
File opened for modification	C:\Windows\SysWOW64\Hlhfmqge.exe	Gihnkejd.exe
File created	C:\Windows\SysWOW64\Bbbmhm32.dll	Ipkema32.exe
File created	C:\Windows\SysWOW64\Hgioeh32.dll	aa96bb12220307edf69383167f84a3f4b8d03e6ee5efabcd2195af9daef71e8eN.exe
File opened for modification	C:\Windows\SysWOW64\Lefikg32.exe	Ipkema32.exe
File created	C:\Windows\SysWOW64\Mfceom32.exe	Mjlejl32.exe
File created	C:\Windows\SysWOW64\Hlhfmqge.exe	Gihnkejd.exe
File opened for modification	C:\Windows\SysWOW64\Igpdnlgd.exe	Hlhfmqge.exe
File created	C:\Windows\SysWOW64\Ieaikf32.dll	Mjlejl32.exe
File created	C:\Windows\SysWOW64\Bphaglgo.exe	Bldpiifb.exe
File created	C:\Windows\SysWOW64\Lpfhlhbn.dll	Egkehllh.exe
File created	C:\Windows\SysWOW64\Jpfncf32.dll	Eqamla32.exe
File opened for modification	C:\Windows\SysWOW64\Ieeqpi32.exe	Igpdnlgd.exe
File opened for modification	C:\Windows\SysWOW64\Bldpiifb.exe	aa96bb12220307edf69383167f84a3f4b8d03e6ee5efabcd2195af9daef71e8eN.exe
File created	C:\Windows\SysWOW64\Dbejjfek.exe	Dpmgao32.exe
File created	C:\Windows\SysWOW64\Egkehllh.exe	Eqamla32.exe
File opened for modification	C:\Windows\SysWOW64\Egkehllh.exe	Eqamla32.exe
File created	C:\Windows\SysWOW64\Dpmgao32.exe	Ciglaa32.exe
File created	C:\Windows\SysWOW64\Eqamla32.exe	Dbejjfek.exe
File created	C:\Windows\SysWOW64\Gnldgh32.dll	Hlhfmqge.exe
File opened for modification	C:\Windows\SysWOW64\Dpmgao32.exe	Ciglaa32.exe
File created	C:\Windows\SysWOW64\Bhnmcp32.dll	Dpmgao32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2228	1640	WerFault.exe	48

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa96bb12220307edf69383167f84a3f4b8d03e6ee5efabcd2195af9daef71e8eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciglaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lefikg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nifgekbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbejjfek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egkehllh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nickoldp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjlejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfceom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opblgehg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffiepg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hlhfmqge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipkema32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqamla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gihnkejd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igpdnlgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieeqpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bldpiifb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphaglgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpmgao32.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lefikg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bphaglgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffiepg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfhlhbn.dll"	Egkehllh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbmhm32.dll"	Ipkema32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mfceom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heknhioh.dll"	Mfceom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	aa96bb12220307edf69383167f84a3f4b8d03e6ee5efabcd2195af9daef71e8eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbegfg32.dll"	Ciglaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nifgekbm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	aa96bb12220307edf69383167f84a3f4b8d03e6ee5efabcd2195af9daef71e8eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffiepg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bphaglgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhjalgho.dll"	Nickoldp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	aa96bb12220307edf69383167f84a3f4b8d03e6ee5efabcd2195af9daef71e8eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bldpiifb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjlejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokegi32.dll"	Bphaglgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdopknp.dll"	Igpdnlgd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Egkehllh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nifgekbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhnmcp32.dll"	Dpmgao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eljgid32.dll"	Ieeqpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ieeqpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieaikf32.dll"	Mjlejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nickoldp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnldgh32.dll"	Hlhfmqge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Igpdnlgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqamla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gihnkejd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlhfmqge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpgidb32.dll"	Lefikg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ciglaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqamla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipkema32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjlejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogllmge.dll"	Gihnkejd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Igpdnlgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipkema32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mfceom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	aa96bb12220307edf69383167f84a3f4b8d03e6ee5efabcd2195af9daef71e8eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dpmgao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gihnkejd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ieeqpi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	aa96bb12220307edf69383167f84a3f4b8d03e6ee5efabcd2195af9daef71e8eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngppolhf.dll"	Dbejjfek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dbejjfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dbejjfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpfncf32.dll"	Eqamla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Egkehllh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlhfmqge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bldpiifb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ciglaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lefikg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nickoldp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmjfimi.dll"	Nifgekbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjjagic.dll"	Bldpiifb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpmgao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgioeh32.dll"	aa96bb12220307edf69383167f84a3f4b8d03e6ee5efabcd2195af9daef71e8eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldcpnjhf.dll"	Ffiepg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 576	1096	aa96bb12220307edf69383167f84a3f4b8d03e6ee5efabcd2195af9daef71e8eN.exe	30
PID 1096 wrote to memory of 576	1096	aa96bb12220307edf69383167f84a3f4b8d03e6ee5efabcd2195af9daef71e8eN.exe	30
PID 1096 wrote to memory of 576	1096	aa96bb12220307edf69383167f84a3f4b8d03e6ee5efabcd2195af9daef71e8eN.exe	30
PID 1096 wrote to memory of 576	1096	aa96bb12220307edf69383167f84a3f4b8d03e6ee5efabcd2195af9daef71e8eN.exe	30
PID 576 wrote to memory of 2960	576	Bldpiifb.exe	31
PID 576 wrote to memory of 2960	576	Bldpiifb.exe	31
PID 576 wrote to memory of 2960	576	Bldpiifb.exe	31
PID 576 wrote to memory of 2960	576	Bldpiifb.exe	31
PID 2960 wrote to memory of 3016	2960	Bphaglgo.exe	32
PID 2960 wrote to memory of 3016	2960	Bphaglgo.exe	32
PID 2960 wrote to memory of 3016	2960	Bphaglgo.exe	32
PID 2960 wrote to memory of 3016	2960	Bphaglgo.exe	32
PID 3016 wrote to memory of 3012	3016	Ciglaa32.exe	33
PID 3016 wrote to memory of 3012	3016	Ciglaa32.exe	33
PID 3016 wrote to memory of 3012	3016	Ciglaa32.exe	33
PID 3016 wrote to memory of 3012	3016	Ciglaa32.exe	33
PID 3012 wrote to memory of 2716	3012	Dpmgao32.exe	34
PID 3012 wrote to memory of 2716	3012	Dpmgao32.exe	34
PID 3012 wrote to memory of 2716	3012	Dpmgao32.exe	34
PID 3012 wrote to memory of 2716	3012	Dpmgao32.exe	34
PID 2716 wrote to memory of 2172	2716	Dbejjfek.exe	35
PID 2716 wrote to memory of 2172	2716	Dbejjfek.exe	35
PID 2716 wrote to memory of 2172	2716	Dbejjfek.exe	35
PID 2716 wrote to memory of 2172	2716	Dbejjfek.exe	35
PID 2172 wrote to memory of 1700	2172	Eqamla32.exe	36
PID 2172 wrote to memory of 1700	2172	Eqamla32.exe	36
PID 2172 wrote to memory of 1700	2172	Eqamla32.exe	36
PID 2172 wrote to memory of 1700	2172	Eqamla32.exe	36
PID 1700 wrote to memory of 2284	1700	Egkehllh.exe	37
PID 1700 wrote to memory of 2284	1700	Egkehllh.exe	37
PID 1700 wrote to memory of 2284	1700	Egkehllh.exe	37
PID 1700 wrote to memory of 2284	1700	Egkehllh.exe	37
PID 2284 wrote to memory of 2068	2284	Ffiepg32.exe	38
PID 2284 wrote to memory of 2068	2284	Ffiepg32.exe	38
PID 2284 wrote to memory of 2068	2284	Ffiepg32.exe	38
PID 2284 wrote to memory of 2068	2284	Ffiepg32.exe	38
PID 2068 wrote to memory of 3036	2068	Gihnkejd.exe	39
PID 2068 wrote to memory of 3036	2068	Gihnkejd.exe	39
PID 2068 wrote to memory of 3036	2068	Gihnkejd.exe	39
PID 2068 wrote to memory of 3036	2068	Gihnkejd.exe	39
PID 3036 wrote to memory of 2272	3036	Hlhfmqge.exe	40
PID 3036 wrote to memory of 2272	3036	Hlhfmqge.exe	40
PID 3036 wrote to memory of 2272	3036	Hlhfmqge.exe	40
PID 3036 wrote to memory of 2272	3036	Hlhfmqge.exe	40
PID 2272 wrote to memory of 2888	2272	Igpdnlgd.exe	41
PID 2272 wrote to memory of 2888	2272	Igpdnlgd.exe	41
PID 2272 wrote to memory of 2888	2272	Igpdnlgd.exe	41
PID 2272 wrote to memory of 2888	2272	Igpdnlgd.exe	41
PID 2888 wrote to memory of 2196	2888	Ieeqpi32.exe	42
PID 2888 wrote to memory of 2196	2888	Ieeqpi32.exe	42
PID 2888 wrote to memory of 2196	2888	Ieeqpi32.exe	42
PID 2888 wrote to memory of 2196	2888	Ieeqpi32.exe	42
PID 2196 wrote to memory of 2088	2196	Ipkema32.exe	43
PID 2196 wrote to memory of 2088	2196	Ipkema32.exe	43
PID 2196 wrote to memory of 2088	2196	Ipkema32.exe	43
PID 2196 wrote to memory of 2088	2196	Ipkema32.exe	43
PID 2088 wrote to memory of 2416	2088	Lefikg32.exe	44
PID 2088 wrote to memory of 2416	2088	Lefikg32.exe	44
PID 2088 wrote to memory of 2416	2088	Lefikg32.exe	44
PID 2088 wrote to memory of 2416	2088	Lefikg32.exe	44
PID 2416 wrote to memory of 896	2416	Mjlejl32.exe	45
PID 2416 wrote to memory of 896	2416	Mjlejl32.exe	45
PID 2416 wrote to memory of 896	2416	Mjlejl32.exe	45
PID 2416 wrote to memory of 896	2416	Mjlejl32.exe	45

C:\Users\Admin\AppData\Local\Temp\aa96bb12220307edf69383167f84a3f4b8d03e6ee5efabcd2195af9daef71e8eN.exe
"C:\Users\Admin\AppData\Local\Temp\aa96bb12220307edf69383167f84a3f4b8d03e6ee5efabcd2195af9daef71e8eN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\SysWOW64\Bldpiifb.exe
  C:\Windows\system32\Bldpiifb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Windows\SysWOW64\Bphaglgo.exe
    C:\Windows\system32\Bphaglgo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\SysWOW64\Ciglaa32.exe
      C:\Windows\system32\Ciglaa32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3016
    - - C:\Windows\SysWOW64\Dpmgao32.exe
        
        C:\Windows\system32\Dpmgao32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
      - C:\Windows\SysWOW64\Dbejjfek.exe
        
        C:\Windows\system32\Dbejjfek.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Eqamla32.exe
        
        C:\Windows\system32\Eqamla32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Egkehllh.exe
        
        C:\Windows\system32\Egkehllh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Ffiepg32.exe
        
        C:\Windows\system32\Ffiepg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Gihnkejd.exe
        
        C:\Windows\system32\Gihnkejd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Hlhfmqge.exe
        
        C:\Windows\system32\Hlhfmqge.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Igpdnlgd.exe
        
        C:\Windows\system32\Igpdnlgd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Ieeqpi32.exe
        
        C:\Windows\system32\Ieeqpi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Ipkema32.exe
        
        C:\Windows\system32\Ipkema32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Lefikg32.exe
        
        C:\Windows\system32\Lefikg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Mjlejl32.exe
        
        C:\Windows\system32\Mjlejl32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Mfceom32.exe
        
        C:\Windows\system32\Mfceom32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Nickoldp.exe
        
        C:\Windows\system32\Nickoldp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Nifgekbm.exe
        
        C:\Windows\system32\Nifgekbm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Opblgehg.exe
        
        C:\Windows\system32\Opblgehg.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 140
        21⤵
        Loads dropped DLL
        Program crash
        
        PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bhnmcp32.dll

Filesize
7KB

MD5
eaf9b71eaab954014ccf5ee8856a2889

SHA1
f9f9a9a191437505d756c91f4a64440ead5af15f

SHA256
421f2242cb95b4601e37ca30d6dc422642a9b8b7676f44dc460b15b6b8555871

SHA512
3a56db97915313becf4a46a58140b60f28087651ca3fc97de5c97271686321776686136c8004ffa66772249173f8fd96733559ca7addb60cb6f3147131f41c69

Download Submit
C:\Windows\SysWOW64\Bphaglgo.exe

Filesize
2.5MB

MD5
0be46874c1753ce24d2ceacb1dba5c33

SHA1
89373dbadf2669bd66811e69688434b009b960ac

SHA256
a6f328a6de0f35a3cf7cef84144261324bbc9baa01e01e90e381a9433ee3bae4

SHA512
c891a8f6aadc31598f8c453a11000d9002f5803c0bef0cad922f12ec9c83303b35293bb87f4176555e030096083fc5cd9e69e9d16e4d80045aa2583cb5902623

Download Submit
C:\Windows\SysWOW64\Dpmgao32.exe

Filesize
2.5MB

MD5
ef0194ff75201269251fd3aa93d84053

SHA1
432a1fbe4d2778a882f8ed8ddcd8f3f09da2dec6

SHA256
b31b5fdddac688c4c8596bf60f6ce9ec105b48b0b7c187f4e031da9256bdef5c

SHA512
8749e6419d13df1afe6e629ff5332b54cad68a8eb0b22f6c3584df5ae43aec6d79c4b02f3628446f8390c2c988bbf276f611fb858c9b41907061e77844af9561

Download Submit
C:\Windows\SysWOW64\Eqamla32.exe

Filesize
2.5MB

MD5
4f403540fec2d50a9ea834c110c0cb6b

SHA1
4e37efb157521c7cb93bfb405145cf9bc253f05c

SHA256
04b07060886ac64b42205f5e7c3e519e12903560626a45a2ca99bf1471bbc4cb

SHA512
361ec0f6c623c26ae2efe8e08b42da1746c5d1022fe02d54a3193641ec6324b923b8e11cecf1023f460d04a9ec842370894cf3b8e836656dd288cfddecff459f

Download Submit
C:\Windows\SysWOW64\Ffiepg32.exe

Filesize
2.5MB

MD5
1e798483405e295a62d3f49981be1147

SHA1
85be7c99bb0468a5cda2513fd4a4f1f4d600216f

SHA256
318fe04a75f83793b8cc233213796974a0018670908749100a937343fe40d860

SHA512
25ce6ade0093383f8a049f9bc3e4fa24267bcd6b9f2d403ff67cf9ce55a3c6552d71a85c3a78bbf8a8da9317fa884ef071ce2c90f67a4b4c406adee8b8cdbcdc

Download Submit
C:\Windows\SysWOW64\Ieeqpi32.exe

Filesize
2.5MB

MD5
680736acf09ddbab5e7559919d2c3a96

SHA1
ced95a8fd0b97d6d03a5bbedcd9f59b255e5862b

SHA256
e3aeb36e8787d4b843b251e3abc371bbd02252e65e24ddfd1f7970af5b7732be

SHA512
b79a158ba64a8fda7d5198fd3261904ef47ef26d329de818f08ab44491037a63183c89ced920cec27a8b2d17b66a497130b602055ca299d583e2fb91c76202b3

Download Submit
C:\Windows\SysWOW64\Igpdnlgd.exe

Filesize
2.5MB

MD5
80481e3d7c44c2f2c5bc1a37e36bb5a4

SHA1
2ab84f3fbb94e3f0bb17a33eaca51f951e4ab5da

SHA256
1df241410e7ae18be40feb67a11f90007e7d4edd014372f9fa19a9be52efed13

SHA512
a768839448e8c579950a158dbeb0e242380f76bac476f6e13be4e27bdf85ab6d9b9cbcbf193a6685f4a6b780d2aa60a38b5d4db673caa659f0a4866fe5a191fd

Download Submit
C:\Windows\SysWOW64\Lefikg32.exe

Filesize
2.5MB

MD5
832f0b6cfd8f7a2d99601bcf29a30602

SHA1
4ffe231061a0c4e8ece082eecab3c009d7d6e1f2

SHA256
ca113ede342d26306778d707b7c03c89d29729fb3d28d34dfc66be5095692c7f

SHA512
11060eb0413e6f09c092a372eeb0e215d613f4760e9ed911115386573f09af0e889c45b022028ba4ac5b44aeae050127784bc1e3c688eec401ae0a6bb317d7a6

Download Submit
C:\Windows\SysWOW64\Nickoldp.exe

Filesize
2.5MB

MD5
0c468ce053148f67328ba0f7d586b554

SHA1
1d5378a2ebd62757c972fb27c33e481b66e883dd

SHA256
bba200d76bfacf5ee91f14d5dff90e1a0432d7a8b8e218d79c24a851a122a012

SHA512
33c4bf012eaa45de25faa1f229daf7219a9c22f57372c79fe330a74884170206ae17d8f65f8eecbcdd6ac94e614d821bd06a28ee1e027ce19876fa4759051d40

Download Submit
C:\Windows\SysWOW64\Nifgekbm.exe

Filesize
2.5MB

MD5
91c92eebbae100c59c79e8ec7b25a4c0

SHA1
ae128f0ff96e0926687c1b939b67ec68b90ba6e9

SHA256
5a7e91bcc0aa4cc491b5cc8b7718bba5f18211abab767e139c9624eb8c46b9af

SHA512
f472a06fdecdd49ee44fb6e365f2f4a17986e29bb4491b4cb97dc2361e04c6e775a69814ae11139925291f349066fa375c3197f8b93d9e6fa10240cdf8f2d754

Download Submit
C:\Windows\SysWOW64\Opblgehg.exe

Filesize
2.5MB

MD5
c4dc11cda558d56e5005eb21550e4f04

SHA1
2da38935dbd37e0a2979d0f65900269b393698be

SHA256
88394d473eddc12f34ae24d7866be03dec233aa93da039f84cc0a6764ac8b6cc

SHA512
fef849f91600f36fa365b2453264a2bcbaaef8d33ad6919eda40bb2c1870119768661bccf29c94a2b5f93550b322d5aeb37b63c7d9366500a4ef303d576405a7

Download Submit
\Windows\SysWOW64\Bldpiifb.exe

Filesize
2.5MB

MD5
612154132b04e1f58cfdceebffe68f5f

SHA1
44934f2c143334938e52f6f09412e81bc3de34e1

SHA256
4d4c116001ede281018b22f8976aa42919c679768fc5454f944540dbea3a6fc4

SHA512
72a10abbf6a4858569698cb7a686010546384dab22ba6ade51a7162e341d2f90d0c98dd798a59e8c7039a34b59245f6cfaa327ac56078a3a099c39bca2d2f54c

Download Submit
\Windows\SysWOW64\Ciglaa32.exe

Filesize
2.5MB

MD5
3ef005a97c5b287c79635727a458d70f

SHA1
79957cdaebca90cf345164b2dc1ffda678fc90e9

SHA256
77ea80035f0a707efdae6e11249b4cc714b3635b69cd5966a6476b3398775b42

SHA512
9d34e046d294ed3d48f8e2be08d1a27a78c386c01397cf590c701bc4ad17e2746a0e48dd167448d0cb985a21233cbb3665e9c1b74f683fc7e04c0df3f2451c5e

Download Submit
\Windows\SysWOW64\Dbejjfek.exe

Filesize
2.5MB

MD5
a1c93123d9742504b698a56dc2006e19

SHA1
1b39b5635262b1e733d1699a128aea2a184cf62c

SHA256
255aae9cb4a758b333335a691842a6654932aa5539a518b99193a2753e0a1576

SHA512
27bcb5923af60a660b2d6eee3c463c79977cb8941b504d4b66536f72161c2531cbe16131da861ad385bd9660002ed4cb16680437a29dbd8b29e7333f9fd54a33

Download Submit
\Windows\SysWOW64\Egkehllh.exe

Filesize
2.5MB

MD5
c2deb77f4a0cec5dddf1990285eb27e1

SHA1
41cf55cf84c47748238f3a2f29839154dfa4caa3

SHA256
58ab2b66e76c7b939203ac95d1081bfa248e4adb8c3b26ce57d17110ec8ccbef

SHA512
bba0ab665de3f8430ab1ec1b7e1b07e68beb8667bb7e5e4698fa7b7094af2f5d2a56768d7791346715b7df1cc4ede98daa86fcea69904ffa6353c8d666e85b1d

Download Submit
\Windows\SysWOW64\Gihnkejd.exe

Filesize
2.5MB

MD5
20da3e5980376477b928301a00f9cc8f

SHA1
f221f0fb3da8eeb27226a5f2b787b386ba600869

SHA256
15f927e01dccd0d77a205aece938f0ccf9b687470766d53bd3a59e8c3f666e00

SHA512
3052a35138e467bc30393047cf7215b7fc1677c429d0fad0bafc9abecf2792076ff5451e868236016022389c84f6e6bc04219ae34d0f7b28a30a441b2d5c919e

Download Submit
\Windows\SysWOW64\Hlhfmqge.exe

Filesize
2.5MB

MD5
5abfae21f04854d47d7b94f3a60f3514

SHA1
2033750a5b86cde248e16bcac787a6bac7600b58

SHA256
4d49869798b86399c4e3718ae2a6dfcb95532a6175464b09dc41596002297893

SHA512
65b3229e3718297ae64006646be19c2cd1eae80981603bc4823a75ac074bb6df0ed4ffbb484eb4811a2edd9878328f6dbbab950fe90899bb16e5855ee5cabb85

Download Submit
\Windows\SysWOW64\Ipkema32.exe

Filesize
2.5MB

MD5
c98ee9a804793f8957ef960a12e6ee61

SHA1
39db75b022bec72b11e16813fbf1e81cbf245f81

SHA256
10142570da537a4b5390907a1d2ca723941ec706d2955a8963c147988da9d592

SHA512
8f322ab3e8003611bc0eaec62299e066e4e8e0611787f493ebc805ba3afe2506f7076d149a84ad0cfdf03bc8078be631764348961bdd9e99804ef99beeaa5c0b

Download Submit
\Windows\SysWOW64\Mfceom32.exe

Filesize
2.5MB

MD5
37b2d9a67afff3786af0bd4b979040db

SHA1
02e3c43c3133ffa55a0aea13bb01671f784d928c

SHA256
da16c0fc9557099a35061ef67fcb6e95a2efc085ef3782c1d07b1c05db2c8d3f

SHA512
164d250250eb151089786690c2a36c2c67955f63c1d575dbc5095fa455c5df7df0e635a8037cee524391f946d4db7fa786b213bee2de25eb3db714324b2b6142

Download Submit
\Windows\SysWOW64\Mjlejl32.exe

Filesize
2.5MB

MD5
4ebd84e5f29867b78d5ee524dba20e8a

SHA1
38d9116401208e9263f13f169088771944cc1dbc

SHA256
eebc8bddf610a7203d790085b3b48e71094570cc0bf8bffed9173b749ba704cf

SHA512
0d2dc2e011d0ad1ba65a27b8abae3a290831ed1430936d801887bfe6986816e93ac1c68d014fca7ec5e7a0e252c2c39f6a62f471ec84c561e416f92e221957c6

Download Submit
memory/560-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/560-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/560-249-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/560-250-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/576-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/576-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/576-25-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/864-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/864-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/896-239-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/896-235-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/896-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/896-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1096-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1096-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1096-7-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1640-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-112-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1700-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-111-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2068-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2068-137-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2068-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2088-211-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2088-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2088-212-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2088-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-85-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-94-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2196-186-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-170-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2272-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2284-127-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2284-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2284-114-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2284-126-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2416-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2416-222-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2416-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-82-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2716-84-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2888-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-180-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2960-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-34-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2960-40-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/3012-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-64-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3012-68-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3012-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-54-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3016-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-156-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3036-151-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads