berbew | d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
Size

93KB
MD5

6319c733be4900930ad3334d877bc2b0
SHA1

e7ea435375217d6d722d6f5143db33d7d1a52d57
SHA256

d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58
SHA512

429253fa2c2a5ae911fd6c0f54e492ccdad186b7832a17f55c500143fe7dd816508e504cdc3bfaeae35ba0062a6b0fde7fcb62be0344ba660620e45116c041da
SSDEEP

1536:sJ+PRW2QFb5tAuCi+9LrlotywsfFXO0ANpwdasP0LVksInd8Ron8vp4MqPa/:sJ+PRWPFUpxFoywsfxO0QO9KVksIdvnU

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 10 IoCs

pid	Process
4560	Dopigd32.exe
2072	Dhhnpjmh.exe
948	Dmefhako.exe
4980	Ddonekbl.exe
4344	Dodbbdbb.exe
740	Daconoae.exe
4540	Dhmgki32.exe
3988	Dmjocp32.exe
2868	Dhocqigp.exe
4552	Dmllipeg.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3212	4552	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 4560	1800	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe	83
PID 1800 wrote to memory of 4560	1800	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe	83
PID 1800 wrote to memory of 4560	1800	d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe	83
PID 4560 wrote to memory of 2072	4560	Dopigd32.exe	84
PID 4560 wrote to memory of 2072	4560	Dopigd32.exe	84
PID 4560 wrote to memory of 2072	4560	Dopigd32.exe	84
PID 2072 wrote to memory of 948	2072	Dhhnpjmh.exe	85
PID 2072 wrote to memory of 948	2072	Dhhnpjmh.exe	85
PID 2072 wrote to memory of 948	2072	Dhhnpjmh.exe	85
PID 948 wrote to memory of 4980	948	Dmefhako.exe	86
PID 948 wrote to memory of 4980	948	Dmefhako.exe	86
PID 948 wrote to memory of 4980	948	Dmefhako.exe	86
PID 4980 wrote to memory of 4344	4980	Ddonekbl.exe	87
PID 4980 wrote to memory of 4344	4980	Ddonekbl.exe	87
PID 4980 wrote to memory of 4344	4980	Ddonekbl.exe	87
PID 4344 wrote to memory of 740	4344	Dodbbdbb.exe	88
PID 4344 wrote to memory of 740	4344	Dodbbdbb.exe	88
PID 4344 wrote to memory of 740	4344	Dodbbdbb.exe	88
PID 740 wrote to memory of 4540	740	Daconoae.exe	89
PID 740 wrote to memory of 4540	740	Daconoae.exe	89
PID 740 wrote to memory of 4540	740	Daconoae.exe	89
PID 4540 wrote to memory of 3988	4540	Dhmgki32.exe	90
PID 4540 wrote to memory of 3988	4540	Dhmgki32.exe	90
PID 4540 wrote to memory of 3988	4540	Dhmgki32.exe	90
PID 3988 wrote to memory of 2868	3988	Dmjocp32.exe	91
PID 3988 wrote to memory of 2868	3988	Dmjocp32.exe	91
PID 3988 wrote to memory of 2868	3988	Dmjocp32.exe	91
PID 2868 wrote to memory of 4552	2868	Dhocqigp.exe	92
PID 2868 wrote to memory of 4552	2868	Dhocqigp.exe	92
PID 2868 wrote to memory of 4552	2868	Dhocqigp.exe	92

C:\Users\Admin\AppData\Local\Temp\d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe
"C:\Users\Admin\AppData\Local\Temp\d5a3f6ba93931a21025fcfe0e6b522adf54cfb0c03d737f11dbfa474875ffd58N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\SysWOW64\Dopigd32.exe
  C:\Windows\system32\Dopigd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\SysWOW64\Dhhnpjmh.exe
    C:\Windows\system32\Dhhnpjmh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\SysWOW64\Dmefhako.exe
      C:\Windows\system32\Dmefhako.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:948
    - - C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4980
      - C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 404
        12⤵
        Program crash
        
        PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4552 -ip 4552
1⤵
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daconoae.exe

Filesize
93KB

MD5
03b4b91c95441388bb3da5520bfca3c2

SHA1
2e63d46904e808de4897ceaf993baef31205e13f

SHA256
980c4a73a972f9552edd37493149215efc020b44f381c149da5a6a7bcc6a7705

SHA512
f2a1f8ad263c96a45d6922fd8b735773b0587b73b245b3e8d62a1387fcbe665a5a63a44d576f383c837b6c8f11a3cdb0a9191fa4c2c55d86971d3def1f9ce947

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
93KB

MD5
ced4fca8f1e035e14b9a11366198c29a

SHA1
c0657db11665ca68dff814f49328b5dfbeef3562

SHA256
4aa7bec55623237ff191544fc57e552e039727ff2681d024132681a25a0090a9

SHA512
e7a86ec469f8bd6d4383e21c7ca1284a77b7f1086ce2dd0df1f9be6d984e4e022bf1145e948bde90c49ad11fa17a0a3c8c32888fae7303730f56e1d63a5a5d24

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
93KB

MD5
c144271ea3599e4fb25fa2de09d2f0b6

SHA1
a5097d6967597b551a7cbbc1fbe3fba4a0fdc1c2

SHA256
99505c34ec72bdecea6086cc1a173937f472d185d741bd4315c5e81af7f2e9e1

SHA512
7f893b710e84469477857bc684b8f4c1a48619f1543718f5bdd1265e7e761af796e3c5f37e9ba7f7dbc7cbac86ebb9f143f1cf42332ee8b8cf01077e92d067da

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
93KB

MD5
d659c0e0670e4a5a80efad348474a0dd

SHA1
72362f9e636b1e1fd84dee02f13c2a1a309b0f54

SHA256
b120458e7057f077091aff59504dfef17a918808dbbbb2e734c6c66f641233ec

SHA512
692b71d4d40ec65a1b91c06937bb18a4bb7a440e90118e6e64a860c49d59cdca5d74bdc99a61496d9acf90854aae8c095d8bdb356556e60dba0e0343d5ba7301

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
93KB

MD5
108787fa58da7bbd405ae983c569f94c

SHA1
0e2680b93f0664cf7e42f64469da9c863f9eeea1

SHA256
a689e02998aaa0eb306ba80991942a780ab14f43b08dedc0c52d8baa0076b31a

SHA512
564420cc577c48709fb5414c735b5d4c1d4ac89039b546f483b2579609ef9d0bdb8603c90cedee382b7992d103d769726a675c45b0a0c22f7316d20797a6a7d4

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
93KB

MD5
2d387adb2efbb01a64c2a09a40ff74a2

SHA1
af69831a3269522eafd92767dad61c8cd7926df7

SHA256
e0ac358b23941834bd0d73736dcf7194b6d769337735fdfdadca96293097a106

SHA512
e1e17a14731baeef25d8004631b576e6cf6d5b977344d2a59a549c2e20b0d3e107830f547e08ecd8f4fb241c73f22d3b2e4c910f1252202c2d6b96ca1eab788b

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
93KB

MD5
c6fd5c4900a6d3eb4cf4f3fd6c431ca1

SHA1
2d4249786e58f3cb9d1a880a86878657f87fb48b

SHA256
256d9d33a052d95d0c43bdc32695ebe109ef78efbe3bc42ca5aa6f0615697a70

SHA512
527331308bd778610fb7626049a1f82b495dce1ca1cd70743991475efaba66edc5bc93afa39d0506ea2f9407605a3c084e17f4a1bb86123d82f14b9581d0940c

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
93KB

MD5
3e3cde6fc586f6b0fe4e4c81a3c811e5

SHA1
28c7ad955093cdececbe018949dda23cf9c16ab1

SHA256
9356420c341d93f396fd38d08f0928f35751ce8f386768c4b9368807a6bb0a82

SHA512
730463d737e3a766431e4ba8bd5d43cbbab9183811a53995d167573a764a0bf0d5978dfde556af9d1837d3d34e26be5dcee449ad8e072bf16fc687175d9b1732

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
93KB

MD5
52879edef37601f708ed53a19f2b0a98

SHA1
ad43ff797b37e72594ddb81c62acf6b96a6342a9

SHA256
b432390f7d74929df2e72ae9c01f9287c2c33755df41cf00d50fcb5121253268

SHA512
ee9516c64a9ebb03a17221512e5918abd96eca48a0296c560331f731e3a0942cb4e732bafd7e868334d946ef3a49204cef9f79abad17ebc4b12f673635adf94a

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
93KB

MD5
87b3c5179c796b3e757dac9661c31e03

SHA1
8ae025e45994717310cd1dc529cc137aa0d15bc1

SHA256
13683bca5eb92cf2c10910c996bffe97b5432df1f4b659ce5c4b71ab55e3320a

SHA512
0fc1f22401c2d554cd1856006ab21cf014243df33979f5dd58baeaa5df638ca6b96f0f62e21285f3a2313aa5fba2698607687772e6d30d9c9be617db4e74e513

Download Submit
memory/740-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/948-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/948-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-102-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2072-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-92-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads